cbcvebase.
CVE-2016-8527
published 2018-08-06

CVE-2016-8527: Aruba Airwave all versions up to, but not including, 8.2.3.1 is vulnerable to a reflected cross-site scripting (XSS). The vulnerability is present in the…

PriorityP343medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
13.16%
95.9th percentile
Aruba Airwave all versions up to, but not including, 8.2.3.1 is vulnerable to a reflected cross-site scripting (XSS). The vulnerability is present in the VisualRF component of AirWave. By exploiting this vulnerability, an attacker who can trick a logged-in AirWave administrative user into clicking a link could obtain sensitive information, such as session cookies or passwords. The vulnerability requires that an administrative users click on the malicious link while currently logged into AirWave in the same browser.

Affected

2 ranges
VendorProductVersion rangeFixed in
hewlett_packard_enterprisearuba_airwave
hpairwave< 8.2.3.18.2.3.1

Detection & IOCsextracted from sources · hover to see the quote

url/visualrf/group_list.xml?aps=1&start=%3ca%20xmlns%3aa%3d'http%3a%2f%2fwww.w3.org%2f1999%2fxhtml'%3e%3ca%3abody%20onload%3d'alert(/XSS/)'%2f%3e%3c%2fa%3e&end=500&match
path/visualrf/group_list.xml
yara
alert(document.domain)
  • CVE-2016-8527 XSS is triggered via HTTP GET parameters 'start' or 'end' on the /visualrf/group_list.xml endpoint. Monitor for URL-encoded HTML/script injection in these parameters.
  • The reflected XSS payload uses an XML namespace trick: a URL-encoded <a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(/XSS/)'/></a> injected into the 'start' parameter. Detect URL-encoded xhtml namespace strings in GET requests to /visualrf/group_list.xml.
  • Session cookies or passwords may be exfiltrated via the reflected XSS. Monitor for outbound requests from AirWave admin browser sessions to unexpected external hosts shortly after access to /visualrf/group_list.xml.
  • The Nuclei probe for this CVE checks for alert(document.domain) in the response body and Content-Type: text/html with HTTP 200. Use these as detection criteria in web application firewall or IDS rules.
  • ·All Aruba AirWave versions up to but not including 8.2.3.1 are affected. Versions 8.2.3 and below were confirmed vulnerable at time of discovery.

CVSS provenance

nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.