Details of VAR-201704-1022

ID

VAR-201704-1022

CVE

CVE-2016-8789

TITLE

Huawei eSpace Integrated Access Device Software cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2016-008219

DESCRIPTION

Huawei eSpace Integrated Access Device (IAD) with software V300R001C03, V300R001C04, V300R001C06, V300R001C20, and V300R001C07 allows an attacker to trick a user into clicking a URL containing malicious scripts to obtain user information or hijack the session, aka XSS. HuaweieSpaceIAD is a comprehensive access device for Huawei's IP voice and unified communications solutions. A reflective cross-site scripting vulnerability exists in Huawei eSpaceIAD products. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected device. This may help the attacker steal cookie-based authentication credentials and launch other attacks. A remote attacker can exploit this vulnerability to inject arbitrary web script or HTML. The following versions are affected: Huawei eSpace IAD V300R001C20, Huawei eSpace IAD V300R001C07, Huawei eSpace IAD V300R001C06, Huawei eSpace IAD V300R001C04, Huawei eSpace IAD V300R001C03

Trust: 2.52

sources: NVD: CVE-2016-8789 // JVNDB: JVNDB-2016-008219 // CNVD: CNVD-2016-11725 // BID: 94613 // VULHUB: VHN-97609

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2016-11725

AFFECTED PRODUCTS

vendor:	huawei	model:	espace integrated access device	scope:	eq	version:	v300r001c03	Trust: 2.4
vendor:	huawei	model:	espace integrated access device	scope:	eq	version:	v300r001c04	Trust: 2.4
vendor:	huawei	model:	espace integrated access device	scope:	eq	version:	v300r001c06	Trust: 2.4
vendor:	huawei	model:	espace integrated access device	scope:	eq	version:	v300r001c07	Trust: 2.4
vendor:	huawei	model:	espace integrated access device	scope:	eq	version:	v300r001c20	Trust: 2.4
vendor:	huawei	model:	espace iad v300r001c03	scope:	-	version:	-	Trust: 0.9
vendor:	huawei	model:	espace iad v300r001c04	scope:	-	version:	-	Trust: 0.9
vendor:	huawei	model:	espace iad v300r001c06	scope:	-	version:	-	Trust: 0.9
vendor:	huawei	model:	espace iad v300r001c20	scope:	-	version:	-	Trust: 0.9
vendor:	huawei	model:	espace iad v300r001c07	scope:	-	version:	-	Trust: 0.9
vendor:	huawei	model:	espace iad v300r001c07spc200	scope:	ne	version:	-	Trust: 0.3

sources: CNVD: CNVD-2016-11725 // BID: 94613 // JVNDB: JVNDB-2016-008219 // CNNVD: CNNVD-201612-016 // NVD: CVE-2016-8789

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-8789
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2016-8789
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2016-11725
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201612-016
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-97609
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2016-8789
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2016-11725
severity:	MEDIUM
baseScore:	6.4
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-97609
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-8789
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2016-11725 // VULHUB: VHN-97609 // JVNDB: JVNDB-2016-008219 // CNNVD: CNNVD-201612-016 // NVD: CVE-2016-8789

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-97609 // JVNDB: JVNDB-2016-008219 // NVD: CVE-2016-8789

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201612-016

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201612-016

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-008219

PATCH

title:	huawei-sa-20161130-01-espace	url:	http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20161130-01-espace-en	Trust: 0.8
title:	Huawei eSpaceIAD product has a patch for reflective cross-site scripting vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/84782	Trust: 0.6
title:	Huawei eSpace IAD Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=65995	Trust: 0.6

sources: CNVD: CNVD-2016-11725 // JVNDB: JVNDB-2016-008219 // CNNVD: CNNVD-201612-016

EXTERNAL IDS

db:	NVD	id:	CVE-2016-8789	Trust: 3.4
db:	BID	id:	94613	Trust: 2.6
db:	JVNDB	id:	JVNDB-2016-008219	Trust: 0.8
db:	CNNVD	id:	CNNVD-201612-016	Trust: 0.7
db:	CNVD	id:	CNVD-2016-11725	Trust: 0.6
db:	VULHUB	id:	VHN-97609	Trust: 0.1

sources: CNVD: CNVD-2016-11725 // VULHUB: VHN-97609 // BID: 94613 // JVNDB: JVNDB-2016-008219 // CNNVD: CNNVD-201612-016 // NVD: CVE-2016-8789

REFERENCES

url:	http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20161130-01-espace-en	Trust: 2.0
url:	http://www.securityfocus.com/bid/94613	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-8789	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2016-8789	Trust: 0.8
url:	http://www.huawei.com/cn/psirt/security-advisories/huawei-sa-20161130-01-espace-cn	Trust: 0.6
url:	http://www.huawei.com	Trust: 0.3

sources: CNVD: CNVD-2016-11725 // VULHUB: VHN-97609 // BID: 94613 // JVNDB: JVNDB-2016-008219 // CNNVD: CNNVD-201612-016 // NVD: CVE-2016-8789

CREDITS

Jiang Zhiwei.

Trust: 0.9

sources: BID: 94613 // CNNVD: CNNVD-201612-016

SOURCES

db:	CNVD	id:	CNVD-2016-11725
db:	VULHUB	id:	VHN-97609
db:	BID	id:	94613
db:	JVNDB	id:	JVNDB-2016-008219
db:	CNNVD	id:	CNNVD-201612-016
db:	NVD	id:	CVE-2016-8789

LAST UPDATE DATE

2025-04-20T23:05:09.861000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2016-11725	date:	2016-12-01T00:00:00
db:	VULHUB	id:	VHN-97609	date:	2017-04-05T00:00:00
db:	BID	id:	94613	date:	2016-12-20T02:04:00
db:	JVNDB	id:	JVNDB-2016-008219	date:	2017-05-02T00:00:00
db:	CNNVD	id:	CNNVD-201612-016	date:	2016-12-02T00:00:00
db:	NVD	id:	CVE-2016-8789	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2016-11725	date:	2016-12-01T00:00:00
db:	VULHUB	id:	VHN-97609	date:	2017-04-02T00:00:00
db:	BID	id:	94613	date:	2016-12-01T00:00:00
db:	JVNDB	id:	JVNDB-2016-008219	date:	2017-05-02T00:00:00
db:	CNNVD	id:	CNNVD-201612-016	date:	2016-12-02T00:00:00
db:	NVD	id:	CVE-2016-8789	date:	2017-04-02T20:59:01.610