Sign-up

ID

VAR-201907-1026


CVE

CVE-2016-5235


TITLE

F5 WebSafe Alert Server Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2016-009356

DESCRIPTION

A Cross Site Scripting (XSS) vulnerability in versions of F5 WebSafe Dashboard 3.9.x and earlier, aka F5 WebSafe Alert Server, allows an unauthenticated user to inject HTML via a crafted alert. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Versions prior to WebSafe Alert Server 3.9.x are vulnerable. F5 WebSafe is a set of network fraud protection solutions from F5 Corporation of the United States. The solution provides malware and fraud detection, client mobile threat protection, and more. F5 WebSafe Dashboard is one of the dashboard components. Attackers can exploit this vulnerability to inject arbitrary web scripts or HTML

Trust: 1.98

sources: NVD: CVE-2016-5235 // JVNDB: JVNDB-2016-009356 // BID: 109041 // VULHUB: VHN-94054

AFFECTED PRODUCTS

vendor:f5model:websafe alert serverscope:ltversion:4.0.0

Trust: 1.0

vendor:f5model:websafe alert serverscope:lteversion:3.9.5

Trust: 0.8

vendor:f5model:websafe alert serverscope:eqversion:3.9.5

Trust: 0.3

vendor:f5model:websafe alert serverscope:eqversion:3.9

Trust: 0.3

vendor:f5model:websafe alert serverscope:eqversion:1.0

Trust: 0.3

vendor:f5model:websafe alert serverscope:neversion:4.0

Trust: 0.3

sources: BID: 109041 // JVNDB: JVNDB-2016-009356 // NVD: CVE-2016-5235

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-5235
value: MEDIUM

Trust: 1.0

NVD: CVE-2016-5235
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201607-014
value: MEDIUM

Trust: 0.6

VULHUB: VHN-94054
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2016-5235
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-94054
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2016-5235
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-94054 // JVNDB: JVNDB-2016-009356 // CNNVD: CNNVD-201607-014 // NVD: CVE-2016-5235

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-94054 // JVNDB: JVNDB-2016-009356 // NVD: CVE-2016-5235

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201607-014

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201607-014

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-009356

PATCH
title:K48572812url:https://support.f5.com/csp/article/K48572812
Trust: 0.8
title:F5 WebSafe Dashboard Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=62608
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2016-009356 // 
            
            
            
            CNNVD: CNNVD-201607-014

EXTERNAL IDS
db:NVDid:CVE-2016-5235
Trust: 2.8
db:JVNDBid:JVNDB-2016-009356
Trust: 0.8
db:CNNVDid:CNNVD-201607-014
Trust: 0.7
db:BIDid:109041
Trust: 0.3
db:VULHUBid:VHN-94054
Trust: 0.1
sources:
            
            
            VULHUB: VHN-94054 // 
            
            
            
            BID: 109041 // 
            
            
            
            JVNDB: JVNDB-2016-009356 // 
            
            
            
            CNNVD: CNNVD-201607-014 // 
            
            
            
            NVD: CVE-2016-5235

REFERENCES
url:https://support.f5.com/csp/article/k48572812
Trust: 2.0
url:https://nvd.nist.gov/vuln/detail/cve-2016-5235
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-5235
Trust: 0.8
url:http://www.f5.com/
Trust: 0.3
sources:
            
            
            VULHUB: VHN-94054 // 
            
            
            
            BID: 109041 // 
            
            
            
            JVNDB: JVNDB-2016-009356 // 
            
            
            
            CNNVD: CNNVD-201607-014 // 
            
            
            
            NVD: CVE-2016-5235

CREDITS
Blazej Wincenciak / Krzysztof Wegrzynek of Prevenity (vr@prevenity.com)
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201607-014

SOURCES
db:VULHUBid:VHN-94054
db:BIDid:109041
db:JVNDBid:JVNDB-2016-009356
db:CNNVDid:CNNVD-201607-014
db:NVDid:CVE-2016-5235

LAST UPDATE DATE
2024-11-23T22:11:57.098000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-94054date:2019-07-02T00:00:00
db:BIDid:109041date:2016-07-01T00:00:00
db:JVNDBid:JVNDB-2016-009356date:2019-07-03T00:00:00
db:CNNVDid:CNNVD-201607-014date:2019-07-03T00:00:00
db:NVDid:CVE-2016-5235date:2024-11-21T02:53:53.847

SOURCES RELEASE DATE
db:VULHUBid:VHN-94054date:2019-07-01T00:00:00
db:BIDid:109041date:2016-07-01T00:00:00
db:JVNDBid:JVNDB-2016-009356date:2019-07-03T00:00:00
db:CNNVDid:CNNVD-201607-014date:2016-07-05T00:00:00
db:NVDid:CVE-2016-5235date:2019-07-01T16:15:11.417