Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2016-8526XML External Entity (XXE) Injection in HP Airwave

CWE-611XML External Entity (XXE) Injection4 documents4 sources
Severity
8.8HIGHNVD
EPSS
12.6%
top 6.03%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
HP AirwaveHewlett Packard Enterprise Aruba Airwave
Timeline
PublishedAug 6
Latest updateMay 14

Description

Aruba Airwave all versions up to, but not including, 8.2.3.1 is vulnerable to an XML external entities (XXE). XXEs are a way to permit XML parsers to access storage that exist on external systems. If an unprivileged user is permitted to control the contents of XML files, XXE can be used as an attack vector. Because the XML parser has access to the local filesystem and runs with the permissions of the web server, it can access any file that is readable by the web server and copy it to an external

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

CVEListV5hewlett_packard_enterprise/aruba_airwaveall versions up to, but not including, 8.2.3.1
NVDhp/airwave< 8.2.3.1

🔴Vulnerability Details

2
GHSA
GHSA-f7p7-p4m6-xxhq: Aruba Airwave all versions up to, but not including, 82022-05-14
CVEList
CVE-2016-8526: Aruba Airwave all versions up to, but not including, 82018-08-06

💥Exploits & PoCs

1
Exploit-DB
Aruba AirWave 8.2.3 - XML External Entity Injection / Cross-Site Scripting2017-03-01
CVE-2016-8526 — XML External Entity (XXE) Injection | cvebase