Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2016-8527Cross-site Scripting in HP Airwave

CWE-79Cross-site Scripting5 documents5 sources
Severity
6.1MEDIUMNVD
EPSS
61.8%
top 1.66%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
HP AirwaveHewlett Packard Enterprise Aruba Airwave
Timeline
PublishedAug 6
Latest updateMay 14

Description

Aruba Airwave all versions up to, but not including, 8.2.3.1 is vulnerable to a reflected cross-site scripting (XSS). The vulnerability is present in the VisualRF component of AirWave. By exploiting this vulnerability, an attacker who can trick a logged-in AirWave administrative user into clicking a link could obtain sensitive information, such as session cookies or passwords. The vulnerability requires that an administrative users click on the malicious link while currently logged into AirWave

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

CVEListV5hewlett_packard_enterprise/aruba_airwaveall versions up to, but not including, 8.2.3.1
NVDhp/airwave< 8.2.3.1

🔴Vulnerability Details

2
GHSA
GHSA-8488-4hwv-3vc5: Aruba Airwave all versions up to, but not including, 82022-05-14
CVEList
CVE-2016-8527: Aruba Airwave all versions up to, but not including, 82018-08-06

💥Exploits & PoCs

2
Exploit-DB
Aruba AirWave 8.2.3 - XML External Entity Injection / Cross-Site Scripting2017-03-01
Nuclei
Aruba Airwave <8.2.3.1 - Cross-Site Scripting
CVE-2016-8527 — Cross-site Scripting in HP Airwave | cvebase