CVE-2016-3709
published 2022-07-28CVE-2016-3709: Possible cross-site scripting vulnerability in libxml after commit 960f0e2.
PriorityP422medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.75%
50.4th percentile
Possible cross-site scripting vulnerability in libxml after commit 960f0e2.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libxml2 | < libxml2 2.9.12+dfsg-3 (bookworm) | libxml2 2.9.12+dfsg-3 (bookworm) |
| msrc | cbl2_libxml2_2.10.4-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| msrc | cm1_libxml2_2.9.14-3_on_cbl_mariner_1.0 | — | — |
| xmlsoft | libxml2 | — | — |
| xmlsoft | libxml2 | >= 0 < 2.9.10+dfsg-6.7+deb11u5 | 2.9.10+dfsg-6.7+deb11u5 |
| xmlsoft | libxml2 | >= 0 < 2.9.12+dfsg-3 | 2.9.12+dfsg-3 |
| xmlsoft | libxml2 | >= 0 < 2.9.12+dfsg-3 | 2.9.12+dfsg-3 |
| xmlsoft | libxml2 | >= 0 < 2.9.12+dfsg-3 | 2.9.12+dfsg-3 |
| xmlsoft | libxml2 | >= 2.9.2 < 2.9.11 | 2.9.11 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
osv6.1MEDIUM
vendor_debian6.1MEDIUM
vendor_msrc6.1MEDIUM
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Siemens SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1
cisa_ics·2023-12-14
Siemens SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1
ICS Advisory
##
Siemens SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1
Release DateDecember 14, 2023
Alert CodeICSA-23-348-10
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1
- Vulnerabilities: Improper Restriction of XML External Entity Reference, Time-of-check Time-of-use (TOCTOU) Race Condition, Command Injection, Miss
Ubuntu
libxml2 vulnerability
vendor_ubuntu·2022-08-04
CVE-2016-3709 libxml2 vulnerability
Title: libxml2 vulnerability
Summary: libxml2 could be made to execute arbitrary code if it received
a specially crafted file.
It was discovered that libxml2 incorrectly handled certain XML files.
An attacker could possibly use this issue to execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Microsoft
Possible cross-site scripting vulnerability in libxml after commit 960f0e2.
vendor_msrc·2022-07-12·CVSS 6.1
CVE-2016-3709 [MEDIUM] CWE-79 Possible cross-site scripting vulnerability in libxml after commit 960f0e2.
Possible cross-site scripting vulnerability in libxml after commit 960f0e2.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
redhat: redhat
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Re
Red Hat
libxml2: Incorrect server side include parsing can lead to XSS
vendor_redhat·2016-08-11·CVSS 6.1
CVE-2016-3709 [MEDIUM] CWE-79 libxml2: Incorrect server side include parsing can lead to XSS
libxml2: Incorrect server side include parsing can lead to XSS
Possible cross-site scripting vulnerability in libxml after commit 960f0e2.
A Cross-site scripting (XSS) vulnerability was found in libxml2. A specially crafted input, when serialized and re-parsed by the libxml2 library, will result in a document with element attributes that did not exist in the original document.
Statement: Red Hat JBoss Core Services already included the flaw fixes when the CVE was published over the version of httpd 2.4.51.SP1 GA.
Package: libxml2 (Red Hat Enterprise Linux 6) - Out of support scope
Package: libxml2 (Red Hat Enterprise Linux 7) - Out of support scope
Package: libxml2 (Red Hat Enterprise Linux 9) - Not affected
Package: libxml2 (Red Hat JBoss Core Services) - Not affected
Debian
CVE-2016-3709: libxml2 - Possible cross-site scripting vulnerability in libxml after commit 960f0e2.
vendor_debian·2016·CVSS 6.1
CVE-2016-3709 [MEDIUM] CVE-2016-3709: libxml2 - Possible cross-site scripting vulnerability in libxml after commit 960f0e2.
Possible cross-site scripting vulnerability in libxml after commit 960f0e2.
Scope: local
bookworm: resolved (fixed in 2.9.12+dfsg-3)
bullseye: resolved (fixed in 2.9.10+dfsg-6.7+deb11u5)
forky: resolved (fixed in 2.9.12+dfsg-3)
sid: resolved (fixed in 2.9.12+dfsg-3)
trixie: resolved (fixed in 2.9.12+dfsg-3)
GHSA
GHSA-4p43-98m8-qxmc: Possible cross-site scripting vulnerability in libxml after commit 960f0e2
ghsa_unreviewed·2022-07-29
CVE-2016-3709 [MEDIUM] CWE-79 GHSA-4p43-98m8-qxmc: Possible cross-site scripting vulnerability in libxml after commit 960f0e2
Possible cross-site scripting vulnerability in libxml after commit 960f0e2.
OSV
CVE-2016-3709: Possible cross-site scripting vulnerability in libxml after commit 960f0e2
osv·2022-07-28·CVSS 6.1
CVE-2016-3709 [MEDIUM] CVE-2016-3709: Possible cross-site scripting vulnerability in libxml after commit 960f0e2
Possible cross-site scripting vulnerability in libxml after commit 960f0e2.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-07-28
Published