Vulnerability CVE-2016-6519

Vulnerability Name:

CVE-2016-6519 (CCN-118689)

Assigned:

2016-10-26

Published:

2016-10-26

Updated:

2021-08-04

Summary:

Cross-site scripting (XSS) vulnerability in the "Shares" overview in Openstack Manila before 2.5.1 allows remote authenticated users to inject arbitrary web script or HTML via the Metadata field in the "Create Share" form.

CVSS v3 Severity:

5.4 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
4.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

5.4 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
4.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

3.5 Low (CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

5.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-79

Vulnerability Consequences:

Cross-Site Scripting

References:

Source: MITRE
Type: CNA
CVE-2016-6519

Source: CCN
Type: Red Hat Security
RHSA-2016:2115-1 - Moderate: openstack-manila-ui security update

Source: CCN
Type: RHSA-2016-2115
Moderate: openstack-manila-ui security update

Source: REDHAT
Type: Third Party Advisory
RHSA-2016:2115

Source: CCN
Type: Red Hat Security
RHSA-2016:2116-1 Moderate: openstack-manila-ui security update

Source: CCN
Type: RHSA-2016-2116
Moderate: openstack-manila-ui security update

Source: REDHAT
Type: Third Party Advisory
RHSA-2016:2116

Source: CCN
Type: Red Hat Security
RHSA-2016:2117-1 - Moderate: openstack-manila-ui security update

Source: CCN
Type: RHSA-2016-2117
Moderate: openstack-manila-ui security update

Source: REDHAT
Type: Third Party Advisory
RHSA-2016:2117

Source: MLIST
Type: Mailing List, Third Party Advisory
[oss-security] 20160915 CVE-2016-6519: openstack-manila: Persistent XSS in Metadata field

Source: BID
Type: Third Party Advisory, VDB Entry
93001

Source: CCN
Type: BID-93001
OpenStack manila CVE-2016-6519 HTML Injection Vulnerability

Source: CONFIRM
Type: Issue Tracking, Third Party Advisory, VDB Entry
https://bugs.launchpad.net/manila-ui/+bug/1597738

Source: CCN
Type: Red Hat Bugzilla
Red Hat Bugzilla Bug 1375147

Source: CONFIRM
Type: Issue Tracking, Third Party Advisory, VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=1375147

Source: XF
Type: UNKNOWN
redhat-openstack-cve20166519-xss(118689)

Vulnerable Configuration:

Configuration 1:

cpe:/a:redhat:openstack:7.0:*:*:*:*:*:*:*

OR cpe:/a:redhat:openstack:9:*:*:*:*:*:*:*

OR cpe:/a:redhat:openstack:8:*:*:*:*:*:*:*

Configuration 2:

cpe:/a:openstack:manila:*:*:*:*:*:*:*:* (Version <= 2.5)

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:55271	P	Security update for postgresql10 (Important)	2021-11-22
oval:org.opensuse.security:def:55954	P	Security update for python-urllib3 (Moderate)	2021-09-29
oval:org.opensuse.security:def:55788	P	Security update for cyrus-sasl (Important)	2020-12-28
oval:org.opensuse.security:def:55131	P	Security update for spice (Important)	2020-12-16
oval:org.opensuse.security:def:56551	P	Security update for libsndfile (Moderate)	2020-12-01
oval:org.opensuse.security:def:55682	P	Security update for openssl (Important)	2020-12-01
oval:org.opensuse.security:def:56347	P	Security update for bind (Important)	2020-12-01
oval:org.opensuse.security:def:56632	P	Security update for jasper (Moderate)	2020-12-01
oval:org.opensuse.security:def:56439	P	Security update for samba and resource-agents (Important)	2020-12-01
oval:org.opensuse.security:def:55108	P	fontconfig on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:56513	P	Security update for libvorbis (Moderate)	2020-12-01
oval:org.opensuse.security:def:55509	P	Security update for clamav (Moderate)	2020-12-01
oval:org.opensuse.security:def:56239	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:55109	P	freerdp on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:20166519	V	CVE-2016-6519	2020-11-28
oval:com.ubuntu.xenial:def:201665190000000	V	CVE-2016-6519 on Ubuntu 16.04 LTS (xenial) - medium.	2017-04-21
oval:com.ubuntu.artful:def:20166519000	V	CVE-2016-6519 on Ubuntu 17.10 (artful) - medium.	2017-04-21
oval:com.ubuntu.disco:def:201665190000000	V	CVE-2016-6519 on Ubuntu 19.04 (disco) - medium.	2017-04-21
oval:com.ubuntu.bionic:def:20166519000	V	CVE-2016-6519 on Ubuntu 18.04 LTS (bionic) - medium.	2017-04-21
oval:com.ubuntu.cosmic:def:201665190000000	V	CVE-2016-6519 on Ubuntu 18.10 (cosmic) - medium.	2017-04-21
oval:com.ubuntu.cosmic:def:20166519000	V	CVE-2016-6519 on Ubuntu 18.10 (cosmic) - medium.	2017-04-21
oval:com.ubuntu.bionic:def:201665190000000	V	CVE-2016-6519 on Ubuntu 18.04 LTS (bionic) - medium.	2017-04-21
oval:com.ubuntu.xenial:def:20166519000	V	CVE-2016-6519 on Ubuntu 16.04 LTS (xenial) - medium.	2017-04-21

BACK