Sign-up

ID

VAR-201609-0034


CVE

CVE-2016-4058


TITLE

Huawei Policy Center Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2016-005040

DESCRIPTION

Cross-site scripting (XSS) vulnerability in Huawei Policy Center before V100R003C10SPC020 allows remote authenticated users to inject arbitrary web script or HTML via vectors related to "special characters on pages.". Huawei Policy Center is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected device. This may help the attacker steal cookie-based authentication credentials and launch other attacks. Huawei Policy Center is a set of policy management center software of China Huawei (Huawei). The software provides functions such as visitor management and customized Portal login interface

Trust: 1.98

sources: NVD: CVE-2016-4058 // JVNDB: JVNDB-2016-005040 // BID: 86546 // VULHUB: VHN-92877

AFFECTED PRODUCTS

vendor:huaweimodel:policy centerscope:eqversion:v100r003c00

Trust: 1.6

vendor:huaweimodel:policy centerscope:eqversion:v100r003c10

Trust: 1.6

vendor:huaweimodel:policy centerscope:ltversion:v100r003c10spc020

Trust: 0.8

vendor:huaweimodel:policy center v100r003c10scope: - version: -

Trust: 0.3

vendor:huaweimodel:policy center v100r003c00scope: - version: -

Trust: 0.3

vendor:huaweimodel:policy center v100r003c10spc020scope:neversion: -

Trust: 0.3

sources: BID: 86546 // JVNDB: JVNDB-2016-005040 // CNNVD: CNNVD-201608-455 // NVD: CVE-2016-4058

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-4058
value: MEDIUM

Trust: 1.0

NVD: CVE-2016-4058
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201608-455
value: LOW

Trust: 0.6

VULHUB: VHN-92877
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2016-4058
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-92877
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2016-4058
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.3
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-92877 // JVNDB: JVNDB-2016-005040 // CNNVD: CNNVD-201608-455 // NVD: CVE-2016-4058

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-92877 // JVNDB: JVNDB-2016-005040 // NVD: CVE-2016-4058

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201608-455

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201608-455

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-005040

PATCH
title:huawei-sa-20160419-01-policycenterurl:http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20160419-01-policycenter-en
Trust: 0.8
title:Huawei Policy Center Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=63778
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2016-005040 // 
            
            
            
            CNNVD: CNNVD-201608-455

EXTERNAL IDS
db:NVDid:CVE-2016-4058
Trust: 2.8
db:BIDid:86546
Trust: 2.0
db:JVNDBid:JVNDB-2016-005040
Trust: 0.8
db:CNNVDid:CNNVD-201608-455
Trust: 0.7
db:VULHUBid:VHN-92877
Trust: 0.1
sources:
            
            
            VULHUB: VHN-92877 // 
            
            
            
            BID: 86546 // 
            
            
            
            JVNDB: JVNDB-2016-005040 // 
            
            
            
            CNNVD: CNNVD-201608-455 // 
            
            
            
            NVD: CVE-2016-4058

REFERENCES
url:http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20160419-01-policycenter-en
Trust: 2.0
url:http://www.securityfocus.com/bid/86546
Trust: 1.7
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-4058
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-4058
Trust: 0.8
url:http://www.huawei.com
Trust: 0.3
sources:
            
            
            VULHUB: VHN-92877 // 
            
            
            
            BID: 86546 // 
            
            
            
            JVNDB: JVNDB-2016-005040 // 
            
            
            
            CNNVD: CNNVD-201608-455 // 
            
            
            
            NVD: CVE-2016-4058

CREDITS
The vendor reported this issue.
Trust: 0.3
sources:
            
            
            BID: 86546

SOURCES
db:VULHUBid:VHN-92877
db:BIDid:86546
db:JVNDBid:JVNDB-2016-005040
db:CNNVDid:CNNVD-201608-455
db:NVDid:CVE-2016-4058

LAST UPDATE DATE
2024-11-23T22:56:21.452000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-92877date:2016-11-28T00:00:00
db:BIDid:86546date:2016-08-24T17:00:00
db:JVNDBid:JVNDB-2016-005040date:2016-10-04T00:00:00
db:CNNVDid:CNNVD-201608-455date:2016-09-28T00:00:00
db:NVDid:CVE-2016-4058date:2024-11-21T02:51:15.827

SOURCES RELEASE DATE
db:VULHUBid:VHN-92877date:2016-09-27T00:00:00
db:BIDid:86546date:2016-04-19T00:00:00
db:JVNDBid:JVNDB-2016-005040date:2016-10-04T00:00:00
db:CNNVDid:CNNVD-201608-455date:2016-04-19T00:00:00
db:NVDid:CVE-2016-4058date:2016-09-27T15:59:00.157