Sign-up

ID

VAR-201702-0081


CVE

CVE-2016-8376


TITLE

Kabona AB WebDatorCentral (WDC) Application vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2016-007584

DESCRIPTION

An issue was discovered in Kabona AB WebDatorCentral (WDC) application prior to Version 3.4.0. This non-validated redirect/non-validated forward (OPEN REDIRECT) allows chaining with authenticated vulnerabilities. Kabona AB WDC is a web-based SCADA system from Kabona AB, Sweden. An attacker could use this vulnerability to redirect a user to a malicious page. Kabona AB WDC is prone to multiple security vulnerabilities. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, this may allow the attacker to steal cookie-based authentication credentials and to launch other attacks or by constructing a crafted URI and enticing a user to follow it and when an unsuspecting victim follows the link, they may be redirected to an attacker-controlled site and to bypass the authentication mechanism

Trust: 2.61

sources: NVD: CVE-2016-8376 // JVNDB: JVNDB-2016-007584 // CNVD: CNVD-2016-09845 // BID: 93547 // IVD: 35821faa-74b5-4b9b-8a1e-d05e8a517632

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 35821faa-74b5-4b9b-8a1e-d05e8a517632 // CNVD: CNVD-2016-09845

AFFECTED PRODUCTS

vendor:kabona abmodel:webdatorcentralscope:eqversion: -

Trust: 1.6

vendor:kabona abmodel:webdatorcentralscope:ltversion:3.4.0

Trust: 0.8

vendor:kabonamodel:ab wdcscope:ltversion:3.4.0

Trust: 0.6

vendor:kabonamodel:ab wdcscope:eqversion:0

Trust: 0.3

vendor:kabonamodel:ab wdcscope:neversion:3.4

Trust: 0.3

vendor:webdatorcentralmodel: - scope:eqversion: -

Trust: 0.2

sources: IVD: 35821faa-74b5-4b9b-8a1e-d05e8a517632 // CNVD: CNVD-2016-09845 // BID: 93547 // JVNDB: JVNDB-2016-007584 // CNNVD: CNNVD-201610-459 // NVD: CVE-2016-8376

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-8376
value: MEDIUM

Trust: 1.0

NVD: CVE-2016-8376
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2016-09845
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201610-459
value: MEDIUM

Trust: 0.6

IVD: 35821faa-74b5-4b9b-8a1e-d05e8a517632
value: MEDIUM

Trust: 0.2

nvd@nist.gov: CVE-2016-8376
severity: MEDIUM
baseScore: 5.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2016-09845
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 35821faa-74b5-4b9b-8a1e-d05e8a517632
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2016-8376
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 1.6
impactScore: 4.0
version: 3.0

Trust: 1.8

sources: IVD: 35821faa-74b5-4b9b-8a1e-d05e8a517632 // CNVD: CNVD-2016-09845 // JVNDB: JVNDB-2016-007584 // CNNVD: CNNVD-201610-459 // NVD: CVE-2016-8376

PROBLEMTYPE DATA

problemtype:CWE-601

Trust: 1.8

sources: JVNDB: JVNDB-2016-007584 // NVD: CVE-2016-8376

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201610-459

TYPE

other

Trust: 0.8

sources: IVD: 35821faa-74b5-4b9b-8a1e-d05e8a517632 // CNNVD: CNNVD-201610-459

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-007584

PATCH
title:'WDC' (WebDatorCentral)url:http://www.kabona.com/building-automation/wdc/
Trust: 0.8
title:Patch for Kabona AB WDC Open Redirection Vulnerability (CNVD-2016-09845)url:https://www.cnvd.org.cn/patchInfo/show/82889
Trust: 0.6
title:Kabona AB WDC Fixes for open redirect vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=64830
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2016-09845 // 
            
            
            
            JVNDB: JVNDB-2016-007584 // 
            
            
            
            CNNVD: CNNVD-201610-459

EXTERNAL IDS
db:NVDid:CVE-2016-8376
Trust: 3.5
db:ICS CERTid:ICSA-16-287-07
Trust: 2.7
db:BIDid:93547
Trust: 2.5
db:CNVDid:CNVD-2016-09845
Trust: 0.8
db:CNNVDid:CNNVD-201610-459
Trust: 0.8
db:JVNDBid:JVNDB-2016-007584
Trust: 0.8
db:IVDid:35821FAA-74B5-4B9B-8A1E-D05E8A517632
Trust: 0.2
sources:
            
            
            IVD: 35821faa-74b5-4b9b-8a1e-d05e8a517632 // 
            
            
            
            CNVD: CNVD-2016-09845 // 
            
            
            
            BID: 93547 // 
            
            
            
            JVNDB: JVNDB-2016-007584 // 
            
            
            
            CNNVD: CNNVD-201610-459 // 
            
            
            
            NVD: CVE-2016-8376

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-16-287-07
Trust: 2.7
url:http://www.securityfocus.com/bid/93547
Trust: 2.2
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-8376
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-8376
Trust: 0.8
url:http://www.kabona.com/building-automation/wdc/
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2016-09845 // 
            
            
            
            BID: 93547 // 
            
            
            
            JVNDB: JVNDB-2016-007584 // 
            
            
            
            CNNVD: CNNVD-201610-459 // 
            
            
            
            NVD: CVE-2016-8376

CREDITS
Martin Jartelius and John Stock of Outpost 24.
Trust: 0.9
sources:
            
            
            BID: 93547 // 
            
            
            
            CNNVD: CNNVD-201610-459

SOURCES
db:IVDid:35821faa-74b5-4b9b-8a1e-d05e8a517632
db:CNVDid:CNVD-2016-09845
db:BIDid:93547
db:JVNDBid:JVNDB-2016-007584
db:CNNVDid:CNNVD-201610-459
db:NVDid:CVE-2016-8376

LAST UPDATE DATE
2025-04-20T23:13:19.256000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2016-09845date:2016-10-24T00:00:00
db:BIDid:93547date:2016-10-26T09:08:00
db:JVNDBid:JVNDB-2016-007584date:2017-03-07T00:00:00
db:CNNVDid:CNNVD-201610-459date:2016-10-18T00:00:00
db:NVDid:CVE-2016-8376date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:IVDid:35821faa-74b5-4b9b-8a1e-d05e8a517632date:2016-10-24T00:00:00
db:CNVDid:CNVD-2016-09845date:2016-10-24T00:00:00
db:BIDid:93547date:2016-10-13T00:00:00
db:JVNDBid:JVNDB-2016-007584date:2017-03-07T00:00:00
db:CNNVDid:CNNVD-201610-459date:2016-10-18T00:00:00
db:NVDid:CVE-2016-8376date:2017-02-13T21:59:01.313