Details of VAR-201907-1027

ID

VAR-201907-1027

CVE

CVE-2016-5236

TITLE

F5 WebSafe Alert Server Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2016-009357

DESCRIPTION

Cross-Site-Scripting (XSS) vulnerabilities in F5 WebSafe Dashboard 3.9.5 and earlier, aka F5 WebSafe Alert Server, allow privileged authenticated users to inject arbitrary web script or HTML when creating a new user, account or signature. F5 WebSafe Alert Server Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Versions prior to WebSafe Alert Server 3.9.5 are vulnerable. F5 WebSafe is a set of network fraud protection solutions from F5 Corporation of the United States. The solution provides malware and fraud detection, client mobile threat protection, and more. F5 WebSafe Dashboard is one of the dashboard components

Trust: 1.98

sources: NVD: CVE-2016-5236 // JVNDB: JVNDB-2016-009357 // BID: 109045 // VULHUB: VHN-94055

AFFECTED PRODUCTS

vendor:	f5	model:	websafe alert server	scope:	lte	version:	3.9.5	Trust: 1.8
vendor:	f5	model:	websafe alert server	scope:	eq	version:	3.9.5	Trust: 0.3
vendor:	f5	model:	websafe alert server	scope:	eq	version:	3.9	Trust: 0.3
vendor:	f5	model:	websafe alert server	scope:	eq	version:	1.0	Trust: 0.3
vendor:	f5	model:	websafe alert server	scope:	ne	version:	4.0	Trust: 0.3

sources: BID: 109045 // JVNDB: JVNDB-2016-009357 // NVD: CVE-2016-5236

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-5236
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2016-5236
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201607-1100
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-94055
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2016-5236
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-94055
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-5236
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.3
impactScore:	2.7
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-94055 // JVNDB: JVNDB-2016-009357 // CNNVD: CNNVD-201607-1100 // NVD: CVE-2016-5236

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-94055 // JVNDB: JVNDB-2016-009357 // NVD: CVE-2016-5236

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201607-1100

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201607-1100

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-009357

PATCH

title:	K55922302	url:	https://support.f5.com/csp/article/K55922302	Trust: 0.8
title:	F5 WebSafe Dashboard Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=63400	Trust: 0.6

sources: JVNDB: JVNDB-2016-009357 // CNNVD: CNNVD-201607-1100

EXTERNAL IDS

db:	NVD	id:	CVE-2016-5236	Trust: 2.8
db:	JVNDB	id:	JVNDB-2016-009357	Trust: 0.8
db:	CNNVD	id:	CNNVD-201607-1100	Trust: 0.7
db:	BID	id:	109045	Trust: 0.3
db:	VULHUB	id:	VHN-94055	Trust: 0.1

sources: VULHUB: VHN-94055 // BID: 109045 // JVNDB: JVNDB-2016-009357 // CNNVD: CNNVD-201607-1100 // NVD: CVE-2016-5236

REFERENCES

url:	https://support.f5.com/csp/article/k55922302	Trust: 2.0
url:	https://nvd.nist.gov/vuln/detail/cve-2016-5236	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-5236	Trust: 0.8
url:	https://f5.com/	Trust: 0.3

sources: VULHUB: VHN-94055 // BID: 109045 // JVNDB: JVNDB-2016-009357 // CNNVD: CNNVD-201607-1100 // NVD: CVE-2016-5236

CREDITS

Blazej Wincenciak and Krzysztof Wegrzynek of Prevenity.

Trust: 0.3

sources: BID: 109045

SOURCES

db:	VULHUB	id:	VHN-94055
db:	BID	id:	109045
db:	JVNDB	id:	JVNDB-2016-009357
db:	CNNVD	id:	CNNVD-201607-1100
db:	NVD	id:	CVE-2016-5236

LAST UPDATE DATE

2024-11-23T23:04:44.798000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-94055	date:	2019-07-02T00:00:00
db:	BID	id:	109045	date:	2016-07-14T00:00:00
db:	JVNDB	id:	JVNDB-2016-009357	date:	2019-07-03T00:00:00
db:	CNNVD	id:	CNNVD-201607-1100	date:	2019-07-03T00:00:00
db:	NVD	id:	CVE-2016-5236	date:	2024-11-21T02:53:53.993

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-94055	date:	2019-07-01T00:00:00
db:	BID	id:	109045	date:	2016-07-14T00:00:00
db:	JVNDB	id:	JVNDB-2016-009357	date:	2019-07-03T00:00:00
db:	CNNVD	id:	CNNVD-201607-1100	date:	2016-07-14T00:00:00
db:	NVD	id:	CVE-2016-5236	date:	2019-07-01T16:15:11.527