Sign-up

ID

VAR-201609-0585


CVE

CVE-2016-6840


TITLE

Huawei OceanStor ISM Management interface cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2016-005044

DESCRIPTION

Cross-site scripting (XSS) vulnerability in the management interface in Huawei OceanStor ISM before V200R001C04SPC200 allows remote attackers to inject arbitrary web script or HTML via the loginName parameter to cgi-bin/doLogin_CgiEntry and possibly other unspecified vectors. Huawei OceanStor ISM is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected device. This may help the attacker steal cookie-based authentication credentials and launch other attacks. Huawei OceanStor ISM is a set of integrated system management software used in storage products of Huawei in China. The following products and versions are affected: Huawei OceanStor ISM V200R001C01, V200R001C02, V200R001C03, and versions earlier than V200R001C04SPC200

Trust: 2.07

sources: NVD: CVE-2016-6840 // JVNDB: JVNDB-2016-005044 // BID: 92554 // VULHUB: VHN-95660 // VULMON: CVE-2016-6840

AFFECTED PRODUCTS

vendor:huaweimodel:oceanstor ismscope:eqversion:v200r001c02

Trust: 1.6

vendor:huaweimodel:oceanstor ismscope:eqversion:v200r001c03

Trust: 1.6

vendor:huaweimodel:oceanstor ismscope:eqversion:v200r001c01

Trust: 1.6

vendor:huaweimodel:oceanstor ismscope:ltversion:v200r001c01 v200r001c04spc200

Trust: 0.8

vendor:huaweimodel:oceanstor ism v200r001c03scope: - version: -

Trust: 0.3

vendor:huaweimodel:oceanstor ism v200r001c02scope: - version: -

Trust: 0.3

vendor:huaweimodel:oceanstor ism v200r001c01scope: - version: -

Trust: 0.3

vendor:huaweimodel:oceanstor ism v200r001c04spc200scope:neversion: -

Trust: 0.3

sources: BID: 92554 // JVNDB: JVNDB-2016-005044 // CNNVD: CNNVD-201608-406 // NVD: CVE-2016-6840

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-6840
value: MEDIUM

Trust: 1.0

NVD: CVE-2016-6840
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201608-406
value: MEDIUM

Trust: 0.6

VULHUB: VHN-95660
value: MEDIUM

Trust: 0.1

VULMON: CVE-2016-6840
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2016-6840
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-95660
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2016-6840
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-95660 // VULMON: CVE-2016-6840 // JVNDB: JVNDB-2016-005044 // CNNVD: CNNVD-201608-406 // NVD: CVE-2016-6840

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-95660 // JVNDB: JVNDB-2016-005044 // NVD: CVE-2016-6840

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201608-406

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201608-406

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-005044

PATCH
title:huawei-sa-20160818-01-ismurl:http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20160818-01-ism-en
Trust: 0.8
title:Huawei OceanStor ISM Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=63736
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2016-005044 // 
            
            
            
            CNNVD: CNNVD-201608-406

EXTERNAL IDS
db:NVDid:CVE-2016-6840
Trust: 2.9
db:BIDid:92554
Trust: 2.1
db:PACKETSTORMid:138061
Trust: 1.8
db:JVNDBid:JVNDB-2016-005044
Trust: 0.8
db:CNNVDid:CNNVD-201608-406
Trust: 0.7
db:VULHUBid:VHN-95660
Trust: 0.1
db:VULMONid:CVE-2016-6840
Trust: 0.1
sources:
            
            
            VULHUB: VHN-95660 // 
            
            
            
            VULMON: CVE-2016-6840 // 
            
            
            
            BID: 92554 // 
            
            
            
            JVNDB: JVNDB-2016-005044 // 
            
            
            
            CNNVD: CNNVD-201608-406 // 
            
            
            
            NVD: CVE-2016-6840

REFERENCES
url:http://www.securityfocus.com/bid/92554
Trust: 1.8
url:http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20160818-01-ism-en
Trust: 1.8
url:http://packetstormsecurity.com/files/138061/huawei-ism-professional-cross-site-scripting.html
Trust: 1.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-6840
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-6840
Trust: 0.8
url:http://www.huawei.com
Trust: 0.3
url:http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160818-01-ism-en
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/79.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            VULHUB: VHN-95660 // 
            
            
            
            VULMON: CVE-2016-6840 // 
            
            
            
            BID: 92554 // 
            
            
            
            JVNDB: JVNDB-2016-005044 // 
            
            
            
            CNNVD: CNNVD-201608-406 // 
            
            
            
            NVD: CVE-2016-6840

CREDITS
Jiang Zhiwei
Trust: 0.9
sources:
            
            
            BID: 92554 // 
            
            
            
            CNNVD: CNNVD-201608-406

SOURCES
db:VULHUBid:VHN-95660
db:VULMONid:CVE-2016-6840
db:BIDid:92554
db:JVNDBid:JVNDB-2016-005044
db:CNNVDid:CNNVD-201608-406
db:NVDid:CVE-2016-6840

LAST UPDATE DATE
2025-04-13T23:36:24.079000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-95660date:2016-09-28T00:00:00
db:VULMONid:CVE-2016-6840date:2016-09-28T00:00:00
db:BIDid:92554date:2016-08-18T00:00:00
db:JVNDBid:JVNDB-2016-005044date:2016-10-04T00:00:00
db:CNNVDid:CNNVD-201608-406date:2016-09-27T00:00:00
db:NVDid:CVE-2016-6840date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:VULHUBid:VHN-95660date:2016-09-26T00:00:00
db:VULMONid:CVE-2016-6840date:2016-09-26T00:00:00
db:BIDid:92554date:2016-08-18T00:00:00
db:JVNDBid:JVNDB-2016-005044date:2016-10-04T00:00:00
db:CNNVDid:CNNVD-201608-406date:2016-08-22T00:00:00
db:NVDid:CVE-2016-6840date:2016-09-26T14:59:07.243