Details of VAR-201702-0297

ID

VAR-201702-0297

CVE

CVE-2016-8348

TITLE

Emerson Liebert SiteScan Information Disclosure Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2016-11968 // CNNVD: CNNVD-201611-702

DESCRIPTION

An XML External Entity (XXE) issue was discovered in Emerson Liebert SiteScan Web Version 6.5, and prior. An attacker may enter malicious input to Liebert SiteScan through a weakly configured XML parser causing the application to execute arbitrary code or disclose file contents from a server or connected network. Emerson Liebert SiteScan Web is a web-based data center monitoring application. Emerson Liebert SiteScan Web has an information disclosure vulnerability that can be used by remote attackers to submit special requests to obtain sensitive information. Emerson Liebert SiteScan is prone to an information-disclosure vulnerability. An attacker can exploit this issue to gain access to sensitive information that may lead to further attacks. SiteScan Web 6.5 and prior versions are vulnerable

Trust: 2.43

sources: NVD: CVE-2016-8348 // JVNDB: JVNDB-2016-007830 // CNVD: CNVD-2016-11968 // BID: 94587

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2016-11968

AFFECTED PRODUCTS

vendor:	emerson	model:	liebert sitescan web	scope:	eq	version:	6.5	Trust: 1.5
vendor:	emerson	model:	liebert sitescan web	scope:	lte	version:	6.5	Trust: 1.0
vendor:	emerson	model:	liebert sitescan web	scope:	lt	version:	6.5	Trust: 0.8
vendor:	emerson	model:	liebert sitescan web	scope:	eq	version:	6.1	Trust: 0.3

sources: CNVD: CNVD-2016-11968 // BID: 94587 // JVNDB: JVNDB-2016-007830 // CNNVD: CNNVD-201611-702 // NVD: CVE-2016-8348

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-8348
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2016-8348
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2016-11968
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201611-702
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2016-8348
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2016-11968
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2016-8348
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2016-11968 // JVNDB: JVNDB-2016-007830 // CNNVD: CNNVD-201611-702 // NVD: CVE-2016-8348

PROBLEMTYPE DATA

problemtype:

CWE-611

Trust: 1.8

sources: JVNDB: JVNDB-2016-007830 // NVD: CVE-2016-8348

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201611-702

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201611-702

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-007830

PATCH

title:	Top Page	url:	http://www.emerson.com/en-us	Trust: 0.8
title:	Patch for Emerson Liebert SiteScan Information Disclosure Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/85061	Trust: 0.6
title:	Emerson Liebert SiteScan Repair measures for information disclosure vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=65969	Trust: 0.6

sources: CNVD: CNVD-2016-11968 // JVNDB: JVNDB-2016-007830 // CNNVD: CNNVD-201611-702

EXTERNAL IDS

db:	NVD	id:	CVE-2016-8348	Trust: 3.3
db:	ICS CERT	id:	ICSA-16-334-01	Trust: 2.7
db:	BID	id:	94587	Trust: 2.5
db:	JVNDB	id:	JVNDB-2016-007830	Trust: 0.8
db:	CNVD	id:	CNVD-2016-11968	Trust: 0.6
db:	CNNVD	id:	CNNVD-201611-702	Trust: 0.6

sources: CNVD: CNVD-2016-11968 // BID: 94587 // JVNDB: JVNDB-2016-007830 // CNNVD: CNNVD-201611-702 // NVD: CVE-2016-8348

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-16-334-01	Trust: 2.7
url:	http://www.securityfocus.com/bid/94587	Trust: 2.2
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-8348	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-8348	Trust: 0.8
url:	http://emerson.com	Trust: 0.3

sources: CNVD: CNVD-2016-11968 // BID: 94587 // JVNDB: JVNDB-2016-007830 // CNNVD: CNNVD-201611-702 // NVD: CVE-2016-8348

CREDITS

Evgeny Ermakov from Positive Technologies.

Trust: 0.9

sources: BID: 94587 // CNNVD: CNNVD-201611-702

SOURCES

db:	CNVD	id:	CNVD-2016-11968
db:	BID	id:	94587
db:	JVNDB	id:	JVNDB-2016-007830
db:	CNNVD	id:	CNNVD-201611-702
db:	NVD	id:	CVE-2016-8348

LAST UPDATE DATE

2025-04-20T23:05:36.992000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2016-11968	date:	2016-12-07T00:00:00
db:	BID	id:	94587	date:	2016-12-20T02:03:00
db:	JVNDB	id:	JVNDB-2016-007830	date:	2017-03-23T00:00:00
db:	CNNVD	id:	CNNVD-201611-702	date:	2016-12-01T00:00:00
db:	NVD	id:	CVE-2016-8348	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2016-11968	date:	2016-12-07T00:00:00
db:	BID	id:	94587	date:	2016-11-29T00:00:00
db:	JVNDB	id:	JVNDB-2016-007830	date:	2017-03-23T00:00:00
db:	CNNVD	id:	CNNVD-201611-702	date:	2016-11-29T00:00:00
db:	NVD	id:	CVE-2016-8348	date:	2017-02-13T21:59:00.707