cbcvebase.
CVE-2016-8581
published 2016-10-28

CVE-2016-8581: A persistent XSS vulnerability exists in the User-Agent header of the login process of AlienVault OSSIM and USM before 5.3.2 that allows an attacker to steal…

PriorityP347medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
17.06%
96.7th percentile
A persistent XSS vulnerability exists in the User-Agent header of the login process of AlienVault OSSIM and USM before 5.3.2 that allows an attacker to steal session IDs of logged in users when the current sessions are viewed by an administrator.

Affected

2 ranges
VendorProductVersion rangeFixed in
alienvaultopen_source_security_information_and_event_management<= 5.3.1
alienvaultunified_security_management<= 5.3.1

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://www.google.com/
  • Monitor HTTP login requests for JavaScript payloads injected into the User-Agent header, particularly those containing jQuery $.get() calls or session-harvesting patterns targeting the 'Current Sessions' page.
  • Alert on User-Agent header values containing HTML/JavaScript tags (e.g., <script>, jQuery selectors, $.get, $.post) in authentication requests to AlienVault OSSIM/USM login endpoints.
  • Inspect the 'Current Sessions' admin page (#ops_table .ops_id) for unexpected outbound GET requests triggered by stored XSS payloads in User-Agent fields.
  • ·The PoC exfiltrates session IDs to an attacker-controlled external URL via HTTP GET with a 'session' parameter; the Google URL in the PoC is a placeholder — real attacks would use an attacker-controlled domain.
  • ·Affected versions are AlienVault OSSIM and USM prior to 5.3.2; the vulnerability is fixed in version 5.3.2.
  • ·The Metasploit module (alienvault_sqli_exec.rb) referenced in the sources targets a different CVE (SQL injection + RCE in OSSIM ≤4.3.1) and is NOT directly related to CVE-2016-8581; treat its intel separately.

CVSS provenance

nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.