Details of VAR-201702-0425

ID

VAR-201702-0425

CVE

CVE-2016-5811

TITLE

Visonic PowerLink2 Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2016-007652

DESCRIPTION

An issue was discovered in Visonic PowerLink2, all versions prior to October 2016 firmware release. User controlled input is not neutralized prior to being placed in web page output (CROSS-SITE SCRIPTING). Visonic PowerLink2 is prone to a cross-site scripting vulnerability and an information-disclosure vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials or gain access to sensitive information. Visonic PowerLink2 is a web interface for viewing and controlling intrusion prevention systems from Visonic, Israel. A remote attacker can exploit this vulnerability to inject arbitrary web script or HTML

Trust: 1.98

sources: NVD: CVE-2016-5811 // JVNDB: JVNDB-2016-007652 // BID: 94894 // VULHUB: VHN-94630

AFFECTED PRODUCTS

vendor:	visonic	model:	powerlink2	scope:	eq	version:	-	Trust: 1.6
vendor:	visonic	model:	powerlink2	scope:	-	version:	-	Trust: 0.8
vendor:	visonic	model:	powerlink2	scope:	lt	version:	october 2016	Trust: 0.8
vendor:	tyco	model:	powerlink2	scope:	eq	version:	0	Trust: 0.3

sources: BID: 94894 // JVNDB: JVNDB-2016-007652 // CNNVD: CNNVD-201612-506 // NVD: CVE-2016-5811

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-5811
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2016-5811
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201612-506
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-94630
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2016-5811
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-94630
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-5811
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 1.0
NVD:	CVE-2016-5811
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-94630 // JVNDB: JVNDB-2016-007652 // CNNVD: CNNVD-201612-506 // NVD: CVE-2016-5811

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-94630 // JVNDB: JVNDB-2016-007652 // NVD: CVE-2016-5811

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201612-506

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201612-506

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-007652

PATCH

title:	Top Page	url:	http://www.visonic.com/en-hp-new?setRegion=true	Trust: 0.8
title:	Visonic PowerLink2 Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=66540	Trust: 0.6

sources: JVNDB: JVNDB-2016-007652 // CNNVD: CNNVD-201612-506

EXTERNAL IDS

db:	NVD	id:	CVE-2016-5811	Trust: 2.8
db:	ICS CERT	id:	ICSA-16-348-01	Trust: 2.8
db:	BID	id:	94894	Trust: 2.0
db:	JVNDB	id:	JVNDB-2016-007652	Trust: 0.8
db:	CNNVD	id:	CNNVD-201612-506	Trust: 0.7
db:	VULHUB	id:	VHN-94630	Trust: 0.1

sources: VULHUB: VHN-94630 // BID: 94894 // JVNDB: JVNDB-2016-007652 // CNNVD: CNNVD-201612-506 // NVD: CVE-2016-5811

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-16-348-01	Trust: 2.8
url:	http://www.securityfocus.com/bid/94894	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-5811	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-5811	Trust: 0.8
url:	https://www.visonic.com	Trust: 0.3

sources: VULHUB: VHN-94630 // BID: 94894 // JVNDB: JVNDB-2016-007652 // CNNVD: CNNVD-201612-506 // NVD: CVE-2016-5811

CREDITS

Aditya K. Sood.

Trust: 0.9

sources: BID: 94894 // CNNVD: CNNVD-201612-506

SOURCES

db:	VULHUB	id:	VHN-94630
db:	BID	id:	94894
db:	JVNDB	id:	JVNDB-2016-007652
db:	CNNVD	id:	CNNVD-201612-506
db:	NVD	id:	CVE-2016-5811

LAST UPDATE DATE

2024-11-23T21:54:17.224000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-94630	date:	2017-02-17T00:00:00
db:	BID	id:	94894	date:	2016-12-20T01:09:00
db:	JVNDB	id:	JVNDB-2016-007652	date:	2017-03-08T00:00:00
db:	CNNVD	id:	CNNVD-201612-506	date:	2021-09-10T00:00:00
db:	NVD	id:	CVE-2016-5811	date:	2024-11-21T02:55:03.210

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-94630	date:	2017-02-13T00:00:00
db:	BID	id:	94894	date:	2016-12-13T00:00:00
db:	JVNDB	id:	JVNDB-2016-007652	date:	2017-03-08T00:00:00
db:	CNNVD	id:	CNNVD-201612-506	date:	2016-12-15T00:00:00
db:	NVD	id:	CVE-2016-5811	date:	2017-02-13T21:59:00.440