Sign-up

ID

VAR-201706-0391


CVE

CVE-2016-9834


TITLE

Sophos Cyberoam Firmware firewall device cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2016-008643

DESCRIPTION

An XSS vulnerability allows remote attackers to execute arbitrary client side script on vulnerable installations of Sophos Cyberoam firewall devices with firmware through 10.6.4. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of a request to the "LiveConnectionDetail.jsp" application. GET parameters "applicationname" and "username" are improperly sanitized allowing an attacker to inject arbitrary JavaScript into the page. This can be abused by an attacker to perform a cross-site scripting attack on the user. A vulnerable URI is /corporate/webpages/trafficdiscovery/LiveConnectionDetail.jsp. Sophos Cyberoam A firmware firewall device contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Sophos Cyberoam firewall devices is a set of firewall devices of British Sophos Company, which provides online application detection and control, web filtering, HTTPS inspection, intrusion prevention and other functions. The vulnerability stems from the fact that the program does not filter the 'applicationname' and 'username' GET parameters correctly

Trust: 1.71

sources: NVD: CVE-2016-9834 // JVNDB: JVNDB-2016-008643 // VULHUB: VHN-98654

AFFECTED PRODUCTS

vendor:sophosmodel:cyberoamscope:lteversion:10.6.4

Trust: 1.0

vendor:sophosmodel:cyberoamosscope:lteversion:10.6.4

Trust: 0.8

vendor:sophosmodel:cyberoamscope:eqversion:10.6.4

Trust: 0.6

sources: JVNDB: JVNDB-2016-008643 // CNNVD: CNNVD-201706-266 // NVD: CVE-2016-9834

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-9834
value: MEDIUM

Trust: 1.0

NVD: CVE-2016-9834
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201706-266
value: MEDIUM

Trust: 0.6

VULHUB: VHN-98654
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2016-9834
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-98654
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2016-9834
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-98654 // JVNDB: JVNDB-2016-008643 // CNNVD: CNNVD-201706-266 // NVD: CVE-2016-9834

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-98654 // JVNDB: JVNDB-2016-008643 // NVD: CVE-2016-9834

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201706-266

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201706-266

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-008643

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-98654

PATCH
title:Top Pageurl:https://www.cyberoam.com/
Trust: 0.8
title:Sophos Cyberoam Fixes for firewall device cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=74792
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2016-008643 // 
            
            
            
            CNNVD: CNNVD-201706-266

EXTERNAL IDS
db:NVDid:CVE-2016-9834
Trust: 2.5
db:JVNDBid:JVNDB-2016-008643
Trust: 0.8
db:CNNVDid:CNNVD-201706-266
Trust: 0.7
db:PACKETSTORMid:142832
Trust: 0.1
db:EXPLOIT-DBid:42062
Trust: 0.1
db:VULHUBid:VHN-98654
Trust: 0.1
sources:
            
            
            VULHUB: VHN-98654 // 
            
            
            
            JVNDB: JVNDB-2016-008643 // 
            
            
            
            CNNVD: CNNVD-201706-266 // 
            
            
            
            NVD: CVE-2016-9834

REFERENCES
url:http://seclists.org/bugtraq/2017/jun/4
Trust: 2.5
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-9834
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2016-9834
Trust: 0.8
sources:
            
            
            VULHUB: VHN-98654 // 
            
            
            
            JVNDB: JVNDB-2016-008643 // 
            
            
            
            CNNVD: CNNVD-201706-266 // 
            
            
            
            NVD: CVE-2016-9834

SOURCES
db:VULHUBid:VHN-98654
db:JVNDBid:JVNDB-2016-008643
db:CNNVDid:CNNVD-201706-266
db:NVDid:CVE-2016-9834

LAST UPDATE DATE
2025-04-20T23:27:23.851000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-98654date:2017-06-14T00:00:00
db:JVNDBid:JVNDB-2016-008643date:2017-07-04T00:00:00
db:CNNVDid:CNNVD-201706-266date:2017-09-29T00:00:00
db:NVDid:CVE-2016-9834date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:VULHUBid:VHN-98654date:2017-06-07T00:00:00
db:JVNDBid:JVNDB-2016-008643date:2017-07-04T00:00:00
db:CNNVDid:CNNVD-201706-266date:2017-06-07T00:00:00
db:NVDid:CVE-2016-9834date:2017-06-07T12:29:00.173