Sign-up

ID

VAR-201708-0163


CVE

CVE-2016-5795


TITLE

plural ALC In product XML External entity vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2016-008818

DESCRIPTION

An XXE issue was discovered in Automated Logic Corporation (ALC) Liebert SiteScan Web Version 6.5 and prior, ALC WebCTRL Version 6.5 and prior, and Carrier i-Vu Version 6.5 and prior. An attacker could enter malicious input to WebCTRL, i-Vu, or SiteScan Web through a weakly configured XML parser causing the application to execute arbitrary code or disclose file contents from a server or connected network. ALC WebCTRL , i-Vu ,and SiteScan Web Is XML An external entity vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. AutomatedLogic provides a complete set of building electrical and mechanical control systems for the majority of users, including central air conditioning automatic control, power distribution monitoring, water supply and drainage monitoring, lighting monitoring and elevator monitoring. The system has been widely used in the United States, China and other regions. There are XML external entity vulnerabilities in multiple devices of AutomatedLogicCorporation. Attackers can exploit this issue to gain access to sensitive information or cause denial-of-service condition

Trust: 2.61

sources: NVD: CVE-2016-5795 // JVNDB: JVNDB-2016-008818 // CNVD: CNVD-2017-24364 // BID: 100558 // IVD: 52ef8bd8-d974-45fb-aa99-07306c190de3

IOT TAXONOMY

category:['ICS', 'Network device']sub_category: -

Trust: 0.6

category:['ICS']sub_category: -

Trust: 0.2

sources: IVD: 52ef8bd8-d974-45fb-aa99-07306c190de3 // CNVD: CNVD-2017-24364

AFFECTED PRODUCTS

vendor:carriermodel:automatedlogic webctrlscope:lteversion:6.5

Trust: 1.0

vendor:automatedlogicmodel:i-vuscope:lteversion:6.5

Trust: 1.0

vendor:automatedlogicmodel:sitescan webscope:lteversion:6.5

Trust: 1.0

vendor:automated logicmodel:i-vuscope:lteversion:6.5

Trust: 0.8

vendor:automated logicmodel:sitescan webscope:lteversion:6.5

Trust: 0.8

vendor:automated logicmodel:webctrlscope:lteversion:6.5

Trust: 0.8

vendor:automated logicmodel:carrier i-vuscope:lteversion:<=6.5

Trust: 0.6

vendor:automated logicmodel:alc webctrlscope:lteversion:<=6.5

Trust: 0.6

vendor:automated logicmodel:liebert sitescan webscope:lteversion:<=6.5

Trust: 0.6

vendor:automatedlogicmodel:i-vuscope:eqversion:6.5

Trust: 0.6

vendor:automatedlogicmodel:webctrlscope:eqversion:6.5

Trust: 0.6

vendor:automatedlogicmodel:sitescan webscope:eqversion:6.5

Trust: 0.6

vendor:automated logicmodel:webctrlscope:eqversion:6.5

Trust: 0.3

vendor:automated logicmodel:webctrlscope:eqversion:6.1

Trust: 0.3

vendor:automated logicmodel:webctrlscope:eqversion:6.0

Trust: 0.3

vendor:automated logicmodel:webctrlscope:eqversion:5.5

Trust: 0.3

vendor:automated logicmodel:webctrlscope:eqversion:5.2

Trust: 0.3

vendor:automated logicmodel:sitescan webscope:eqversion:6.5

Trust: 0.3

vendor:automated logicmodel:sitescan webscope:eqversion:6.1

Trust: 0.3

vendor:automated logicmodel:sitescan webscope:eqversion:5.5

Trust: 0.3

vendor:automated logicmodel:sitescan webscope:eqversion:5.2

Trust: 0.3

vendor:automated logicmodel:i-vuscope:eqversion:6.5

Trust: 0.3

vendor:automated logicmodel:i-vuscope:eqversion:6.1

Trust: 0.3

vendor:automated logicmodel:i-vuscope:eqversion:6.0

Trust: 0.3

vendor:automated logicmodel:i-vuscope:eqversion:5.5

Trust: 0.3

vendor:automated logicmodel:i-vuscope:eqversion:5.2

Trust: 0.3

vendor:i vumodel: - scope:eqversion:*

Trust: 0.2

vendor:sitescan webmodel: - scope:eqversion:*

Trust: 0.2

vendor:webctrlmodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: 52ef8bd8-d974-45fb-aa99-07306c190de3 // CNVD: CNVD-2017-24364 // BID: 100558 // JVNDB: JVNDB-2016-008818 // CNNVD: CNNVD-201708-1409 // NVD: CVE-2016-5795

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-5795
value: HIGH

Trust: 1.0

NVD: CVE-2016-5795
value: HIGH

Trust: 0.8

CNVD: CNVD-2017-24364
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201708-1409
value: HIGH

Trust: 0.6

IVD: 52ef8bd8-d974-45fb-aa99-07306c190de3
value: HIGH

Trust: 0.2

nvd@nist.gov: CVE-2016-5795
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2017-24364
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 52ef8bd8-d974-45fb-aa99-07306c190de3
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2016-5795
baseSeverity: HIGH
baseScore: 7.3
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 3.9
impactScore: 3.4
version: 3.0

Trust: 1.8

sources: IVD: 52ef8bd8-d974-45fb-aa99-07306c190de3 // CNVD: CNVD-2017-24364 // JVNDB: JVNDB-2016-008818 // CNNVD: CNNVD-201708-1409 // NVD: CVE-2016-5795

PROBLEMTYPE DATA

problemtype:CWE-611

Trust: 1.8

sources: JVNDB: JVNDB-2016-008818 // NVD: CVE-2016-5795

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201708-1409

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-201708-1409

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-008818

PATCH
title:Top Pageurl:http://www.automatedlogic.com/
Trust: 0.8
title:AutomatedLogicCorporation Patch for Multiple Device XML External Entity Vulnerabilitiesurl:https://www.cnvd.org.cn/patchInfo/show/101402
Trust: 0.6
title:ALC Liebert SiteScan Web , ALC WebCTRL  and Carrier i-Vu Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=74504
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2017-24364 // 
            
            
            
            JVNDB: JVNDB-2016-008818 // 
            
            
            
            CNNVD: CNNVD-201708-1409

EXTERNAL IDS
db:NVDid:CVE-2016-5795
Trust: 3.5
db:ICS CERTid:ICSA-17-150-01
Trust: 3.3
db:BIDid:100558
Trust: 1.9
db:CNVDid:CNVD-2017-24364
Trust: 0.8
db:CNNVDid:CNNVD-201708-1409
Trust: 0.8
db:JVNDBid:JVNDB-2016-008818
Trust: 0.8
db:IVDid:52EF8BD8-D974-45FB-AA99-07306C190DE3
Trust: 0.2
sources:
            
            
            IVD: 52ef8bd8-d974-45fb-aa99-07306c190de3 // 
            
            
            
            CNVD: CNVD-2017-24364 // 
            
            
            
            BID: 100558 // 
            
            
            
            JVNDB: JVNDB-2016-008818 // 
            
            
            
            CNNVD: CNNVD-201708-1409 // 
            
            
            
            NVD: CVE-2016-5795

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-17-150-01
Trust: 3.3
url:http://www.securityfocus.com/bid/100558
Trust: 1.6
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-5795
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2016-5795
Trust: 0.8
url:http://www.automatedlogic.com
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2017-24364 // 
            
            
            
            BID: 100558 // 
            
            
            
            JVNDB: JVNDB-2016-008818 // 
            
            
            
            CNNVD: CNNVD-201708-1409 // 
            
            
            
            NVD: CVE-2016-5795

CREDITS
Evgeny Ermakov from Kaspersky Lab.
Trust: 0.3
sources:
            
            
            BID: 100558

SOURCES
db:IVDid:52ef8bd8-d974-45fb-aa99-07306c190de3
db:CNVDid:CNVD-2017-24364
db:BIDid:100558
db:JVNDBid:JVNDB-2016-008818
db:CNNVDid:CNNVD-201708-1409
db:NVDid:CVE-2016-5795

LAST UPDATE DATE
2025-04-20T23:13:02.428000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2017-24364date:2017-09-02T00:00:00
db:BIDid:100558date:2017-08-31T00:00:00
db:JVNDBid:JVNDB-2016-008818date:2017-09-28T00:00:00
db:CNNVDid:CNNVD-201708-1409date:2021-08-02T00:00:00
db:NVDid:CVE-2016-5795date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:IVDid:52ef8bd8-d974-45fb-aa99-07306c190de3date:2017-09-02T00:00:00
db:CNVDid:CNVD-2017-24364date:2017-09-01T00:00:00
db:BIDid:100558date:2017-08-31T00:00:00
db:JVNDBid:JVNDB-2016-008818date:2017-09-28T00:00:00
db:CNNVDid:CNNVD-201708-1409date:2017-08-31T00:00:00
db:NVDid:CVE-2016-5795date:2017-08-31T21:29:00.187