CVE-2016-2058 Information

Description

Multiple cross-site scripting (XSS) vulnerabilities in Xymon 4.1.x 4.2.x and 4.3.x before 4.3.25 allow (1) remote Xymon clients to inject arbitrary web script or HTML via a status-message which is not properly handled in the \detailed status\ page or (2) remote authenticated users to inject arbitrary web script or HTML via an acknowledgement message which is not properly handled in the \status\ page.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Reference

http://packetstormsecurity.com/files/135758/Xymon-4.3.x-Buffer-Overflow-Code-Execution-Information-Disclosure.html http://www.debian.org/security/2016/dsa-3495 http://www.securityfocus.com/archive/1/537522/100/0/threaded https://sourceforge.net/p/xymon/code/7892/

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

5.4