Sign-up

ID

VAR-201609-0314


CVE

CVE-2016-6404


TITLE

Cisco IOS and IOS XE Cisco IOx Local Manager Cross-Site Scripting Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2016-07871 // CNNVD: CNNVD-201609-346

DESCRIPTION

Cross-site scripting (XSS) vulnerability in the web framework in Cisco IOx Local Manager in IOS 15.5(2)T and IOS XE allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCuy19854. Both Cisco IOS and IOSXE are operating systems developed by Cisco for its network devices. CiscoIOxLocalManager is one of the local management components. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCuy19854

Trust: 2.52

sources: NVD: CVE-2016-6404 // JVNDB: JVNDB-2016-004795 // CNVD: CNVD-2016-07871 // BID: 92963 // VULHUB: VHN-95224

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2016-07871

AFFECTED PRODUCTS

vendor:ciscomodel:iosscope:eqversion:15.5\(2\)t

Trust: 1.6

vendor:ciscomodel:iosscope:eqversion:15.5(2)t

Trust: 0.8

vendor:ciscomodel:ios xescope: - version: -

Trust: 0.8

vendor:ciscomodel:ios 15.5 tscope: - version: -

Trust: 0.6

vendor:ciscomodel:ios xe softwarescope:eqversion:0

Trust: 0.3

vendor:ciscomodel:iosscope:eqversion:0

Trust: 0.3

sources: CNVD: CNVD-2016-07871 // BID: 92963 // JVNDB: JVNDB-2016-004795 // CNNVD: CNNVD-201609-346 // NVD: CVE-2016-6404

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-6404
value: MEDIUM

Trust: 1.0

NVD: CVE-2016-6404
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2016-07871
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201609-346
value: MEDIUM

Trust: 0.6

VULHUB: VHN-95224
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2016-6404
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2016-07871
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-95224
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2016-6404
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2016-07871 // VULHUB: VHN-95224 // JVNDB: JVNDB-2016-004795 // CNNVD: CNNVD-201609-346 // NVD: CVE-2016-6404

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-95224 // JVNDB: JVNDB-2016-004795 // NVD: CVE-2016-6404

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201609-346

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201609-346

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-004795

PATCH
title:cisco-sa-20160914-iosurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160914-ios
Trust: 0.8
title:Patch for Cisco IOS and IOSXE CiscoIOxLocalManager Cross-Site Scripting Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/81595
Trust: 0.6
title:Cisco IOS  and IOS XE Cisco IOx Local Manager Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=64145
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2016-07871 // 
            
            
            
            JVNDB: JVNDB-2016-004795 // 
            
            
            
            CNNVD: CNNVD-201609-346

EXTERNAL IDS
db:NVDid:CVE-2016-6404
Trust: 3.4
db:BIDid:92963
Trust: 2.0
db:SECTRACKid:1036834
Trust: 1.1
db:JVNDBid:JVNDB-2016-004795
Trust: 0.8
db:CNNVDid:CNNVD-201609-346
Trust: 0.7
db:CNVDid:CNVD-2016-07871
Trust: 0.6
db:VULHUBid:VHN-95224
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2016-07871 // 
            
            
            
            VULHUB: VHN-95224 // 
            
            
            
            BID: 92963 // 
            
            
            
            JVNDB: JVNDB-2016-004795 // 
            
            
            
            CNNVD: CNNVD-201609-346 // 
            
            
            
            NVD: CVE-2016-6404

REFERENCES
url:http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20160914-ios
Trust: 2.6
url:http://www.securityfocus.com/bid/92963
Trust: 1.1
url:http://www.securitytracker.com/id/1036834
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-6404
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-6404
Trust: 0.8
url:http://www.cisco.com/
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2016-07871 // 
            
            
            
            VULHUB: VHN-95224 // 
            
            
            
            BID: 92963 // 
            
            
            
            JVNDB: JVNDB-2016-004795 // 
            
            
            
            CNNVD: CNNVD-201609-346 // 
            
            
            
            NVD: CVE-2016-6404

CREDITS
Cisco
Trust: 0.3
sources:
            
            
            BID: 92963

SOURCES
db:CNVDid:CNVD-2016-07871
db:VULHUBid:VHN-95224
db:BIDid:92963
db:JVNDBid:JVNDB-2016-004795
db:CNNVDid:CNNVD-201609-346
db:NVDid:CVE-2016-6404

LAST UPDATE DATE
2025-04-13T23:21:06.265000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2016-07871date:2016-09-22T00:00:00
db:VULHUBid:VHN-95224date:2017-07-30T00:00:00
db:BIDid:92963date:2016-09-14T00:00:00
db:JVNDBid:JVNDB-2016-004795date:2016-09-21T00:00:00
db:CNNVDid:CNNVD-201609-346date:2016-09-19T00:00:00
db:NVDid:CVE-2016-6404date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:CNVDid:CNVD-2016-07871date:2016-09-22T00:00:00
db:VULHUBid:VHN-95224date:2016-09-18T00:00:00
db:BIDid:92963date:2016-09-14T00:00:00
db:JVNDBid:JVNDB-2016-004795date:2016-09-21T00:00:00
db:CNNVDid:CNNVD-201609-346date:2016-09-19T00:00:00
db:NVDid:CVE-2016-6404date:2016-09-18T22:59:13.517