Sign-up

ID

VAR-201702-0303


CVE

CVE-2016-8356


TITLE

Kabona AB WDC Open redirection vulnerability

Trust: 0.8

sources: IVD: 7d2dde9b-e7ce-41a6-bddd-f573ab4c0e04 // CNVD: CNVD-2016-09863

DESCRIPTION

An issue was discovered in Kabona AB WebDatorCentral (WDC) application prior to Version 3.4.0. The web server URL inputs are not sanitized correctly, which may allow cross-site scripting vulnerabilities. Kabona AB WDC is a web-based SCADA system from Kabona AB, Sweden. An attacker could use this vulnerability to redirect a user to a malicious page. Kabona AB WDC is prone to multiple security vulnerabilities. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, this may allow the attacker to steal cookie-based authentication credentials and to launch other attacks or by constructing a crafted URI and enticing a user to follow it and when an unsuspecting victim follows the link, they may be redirected to an attacker-controlled site and to bypass the authentication mechanism

Trust: 2.61

sources: NVD: CVE-2016-8356 // JVNDB: JVNDB-2016-007583 // CNVD: CNVD-2016-09863 // BID: 93547 // IVD: 7d2dde9b-e7ce-41a6-bddd-f573ab4c0e04

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 7d2dde9b-e7ce-41a6-bddd-f573ab4c0e04 // CNVD: CNVD-2016-09863

AFFECTED PRODUCTS

vendor:kabona abmodel:webdatorcentralscope:eqversion: -

Trust: 1.6

vendor:kabona abmodel:webdatorcentralscope:ltversion:3.4.0

Trust: 0.8

vendor:kabonamodel:ab wdcscope:ltversion:3.4.0

Trust: 0.6

vendor:kabonamodel:ab wdcscope:eqversion:0

Trust: 0.3

vendor:kabonamodel:ab wdcscope:neversion:3.4

Trust: 0.3

vendor:webdatorcentralmodel: - scope:eqversion: -

Trust: 0.2

sources: IVD: 7d2dde9b-e7ce-41a6-bddd-f573ab4c0e04 // CNVD: CNVD-2016-09863 // BID: 93547 // JVNDB: JVNDB-2016-007583 // CNNVD: CNNVD-201610-458 // NVD: CVE-2016-8356

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-8356
value: HIGH

Trust: 1.0

NVD: CVE-2016-8356
value: HIGH

Trust: 0.8

CNVD: CNVD-2016-09863
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201610-458
value: MEDIUM

Trust: 0.6

IVD: 7d2dde9b-e7ce-41a6-bddd-f573ab4c0e04
value: MEDIUM

Trust: 0.2

nvd@nist.gov: CVE-2016-8356
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2016-09863
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 7d2dde9b-e7ce-41a6-bddd-f573ab4c0e04
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2016-8356
baseSeverity: HIGH
baseScore: 8.2
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 4.7
version: 3.0

Trust: 1.8

sources: IVD: 7d2dde9b-e7ce-41a6-bddd-f573ab4c0e04 // CNVD: CNVD-2016-09863 // JVNDB: JVNDB-2016-007583 // CNNVD: CNNVD-201610-458 // NVD: CVE-2016-8356

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2016-007583 // NVD: CVE-2016-8356

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201610-458

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201610-458

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-007583

PATCH
title:'WDC' (WebDatorCentral)url:http://www.kabona.com/building-automation/wdc/
Trust: 0.8
title:Kabona AB WDC Open Redirection Vulnerability Patchurl:https://www.cnvd.org.cn/patchInfo/show/82890
Trust: 0.6
title:Kabona AB WDC Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=64829
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2016-09863 // 
            
            
            
            JVNDB: JVNDB-2016-007583 // 
            
            
            
            CNNVD: CNNVD-201610-458

EXTERNAL IDS
db:NVDid:CVE-2016-8356
Trust: 3.5
db:ICS CERTid:ICSA-16-287-07
Trust: 2.7
db:BIDid:93547
Trust: 2.5
db:CNVDid:CNVD-2016-09863
Trust: 0.8
db:CNNVDid:CNNVD-201610-458
Trust: 0.8
db:JVNDBid:JVNDB-2016-007583
Trust: 0.8
db:IVDid:7D2DDE9B-E7CE-41A6-BDDD-F573AB4C0E04
Trust: 0.2
sources:
            
            
            IVD: 7d2dde9b-e7ce-41a6-bddd-f573ab4c0e04 // 
            
            
            
            CNVD: CNVD-2016-09863 // 
            
            
            
            BID: 93547 // 
            
            
            
            JVNDB: JVNDB-2016-007583 // 
            
            
            
            CNNVD: CNNVD-201610-458 // 
            
            
            
            NVD: CVE-2016-8356

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-16-287-07
Trust: 2.7
url:http://www.securityfocus.com/bid/93547
Trust: 1.6
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-8356
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-8356
Trust: 0.8
url:http://www.securityfocus.com/bid/93547/discuss
Trust: 0.6
url:http://www.kabona.com/building-automation/wdc/
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2016-09863 // 
            
            
            
            BID: 93547 // 
            
            
            
            JVNDB: JVNDB-2016-007583 // 
            
            
            
            CNNVD: CNNVD-201610-458 // 
            
            
            
            NVD: CVE-2016-8356

CREDITS
Martin Jartelius and John Stock of Outpost 24.
Trust: 0.9
sources:
            
            
            BID: 93547 // 
            
            
            
            CNNVD: CNNVD-201610-458

SOURCES
db:IVDid:7d2dde9b-e7ce-41a6-bddd-f573ab4c0e04
db:CNVDid:CNVD-2016-09863
db:BIDid:93547
db:JVNDBid:JVNDB-2016-007583
db:CNNVDid:CNNVD-201610-458
db:NVDid:CVE-2016-8356

LAST UPDATE DATE
2025-04-20T23:13:22.880000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2016-09863date:2016-10-24T00:00:00
db:BIDid:93547date:2016-10-26T09:08:00
db:JVNDBid:JVNDB-2016-007583date:2017-03-07T00:00:00
db:CNNVDid:CNNVD-201610-458date:2016-10-18T00:00:00
db:NVDid:CVE-2016-8356date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:IVDid:7d2dde9b-e7ce-41a6-bddd-f573ab4c0e04date:2016-10-24T00:00:00
db:CNVDid:CNVD-2016-09863date:2016-10-24T00:00:00
db:BIDid:93547date:2016-10-13T00:00:00
db:JVNDBid:JVNDB-2016-007583date:2017-03-07T00:00:00
db:CNNVDid:CNNVD-201610-458date:2016-10-18T00:00:00
db:NVDid:CVE-2016-8356date:2017-02-13T21:59:00.893