Vulnerability CVE-2016-4561

Vulnerability Name:

CVE-2016-4561 (CCN-112999)

Assigned:

2016-05-06

Published:

2016-05-06

Updated:

2016-05-16

Summary:

Cross-site scripting (XSS) vulnerability in the cgierror function in CGI.pm in ikiwiki before 3.20160506 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving an error message.

CVSS v3 Severity:

6.1 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

6.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

5.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-79

Vulnerability Consequences:

Cross-Site Scripting

References:

Source: MITRE
Type: CNA
CVE-2016-4561

Source: CONFIRM
Type: Vendor Advisory
http://ikiwiki.info/security/#index43h2

Source: CCN
Type: oss-sec Mailing List, Fri, 6 May 2016 21:30:41 +0200
CVE Request: ikiwiki: HTML-escape error messages to prevent cross-site scripting attack

Source: CCN
Type: oss-sec Mailing List, Fri, 6 May 2016 16:10:59 -0400 (EDT)
Re: CVE Request: ikiwiki: HTML-escape error messages to prevent cross-site scripting attack

Source: CCN
Type: ikiwiki Web site
source.ikiwiki.branchable.com Git - source.git/commitdiff

Source: CONFIRM
Type: Vendor Advisory
http://source.ikiwiki.branchable.com/?p=source.git;a=commitdiff;h=32ef584dc5abb6ddb9f794f94ea0b2934967bba7

Source: DEBIAN
Type: UNKNOWN
DSA-3571

Source: XF
Type: UNKNOWN
ikiwiki-cve20164561-xss(112999)

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2016-4561

Vulnerable Configuration:

Configuration 1:

cpe:/a:ikiwiki:ikiwiki:*:*:*:*:*:*:*:* (Version <= 3.20160121)

Configuration 2:

cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:ikiwiki:ikiwiki:*:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:112432	P	ikiwiki-3.20200202.3-2.7 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:105938	P	ikiwiki-3.20200202.3-2.7 on GA media (Moderate)	2021-10-01
oval:org.cisecurity:def:581	P	DSA-3571-1 -- ikiwiki -- security update	2016-07-01
oval:com.ubuntu.cosmic:def:201645610000000	V	CVE-2016-4561 on Ubuntu 18.10 (cosmic) - medium.	2016-05-10
oval:com.ubuntu.artful:def:20164561000	V	CVE-2016-4561 on Ubuntu 17.10 (artful) - medium.	2016-05-10
oval:com.ubuntu.trusty:def:20164561000	V	CVE-2016-4561 on Ubuntu 14.04 LTS (trusty) - medium.	2016-05-10
oval:com.ubuntu.bionic:def:201645610000000	V	CVE-2016-4561 on Ubuntu 18.04 LTS (bionic) - medium.	2016-05-10
oval:com.ubuntu.bionic:def:20164561000	V	CVE-2016-4561 on Ubuntu 18.04 LTS (bionic) - medium.	2016-05-10
oval:com.ubuntu.xenial:def:20164561000	V	CVE-2016-4561 on Ubuntu 16.04 LTS (xenial) - medium.	2016-05-10
oval:com.ubuntu.xenial:def:201645610000000	V	CVE-2016-4561 on Ubuntu 16.04 LTS (xenial) - medium.	2016-05-10
oval:com.ubuntu.cosmic:def:20164561000	V	CVE-2016-4561 on Ubuntu 18.10 (cosmic) - medium.	2016-05-10
oval:com.ubuntu.disco:def:201645610000000	V	CVE-2016-4561 on Ubuntu 19.04 (disco) - medium.	2016-05-10
oval:com.ubuntu.precise:def:20164561000	V	CVE-2016-4561 on Ubuntu 12.04 LTS (precise) - medium.	2016-05-10

BACK