Sign-up

ID

VAR-201801-0018


CVE

CVE-2016-10256


TITLE

Symantec ProxySG Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2018-001361

DESCRIPTION

The Symantec ProxySG 6.5 (prior to 6.5.10.6), 6.6, and 6.7 (prior to 6.7.2.1) management console is susceptible to a reflected XSS vulnerability. A remote attacker can use a crafted management console URL in a phishing attack to inject arbitrary JavaScript code into the management console web client application. This is a separate vulnerability from CVE-2016-10257. Symantec ProxySG Contains a cross-site scripting vulnerability. This vulnerability is CVE-2016-10257 This is a different vulnerability.The information may be obtained and the information may be falsified. Symantec ProxySG is prone to a cross-site-scripting vulnerability because it fails to sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks

Trust: 1.89

sources: NVD: CVE-2016-10256 // JVNDB: JVNDB-2018-001361 // BID: 102451

AFFECTED PRODUCTS

vendor:symantecmodel:proxysgscope:eqversion:6.6

Trust: 1.4

vendor:broadcommodel:symantec proxysgscope:gteversion:6.5

Trust: 1.0

vendor:broadcommodel:symantec proxysgscope:gteversion:6.7

Trust: 1.0

vendor:broadcommodel:symantec proxysgscope:ltversion:6.7.2.1

Trust: 1.0

vendor:broadcommodel:symantec proxysgscope:eqversion:6.6

Trust: 1.0

vendor:broadcommodel:symantec proxysgscope:ltversion:6.5.10.6

Trust: 1.0

vendor:symantecmodel:proxysgscope:eqversion:6.7.2.1

Trust: 0.8

vendor:symantecmodel:proxysgscope:ltversion:6.5

Trust: 0.8

vendor:symantecmodel:proxysgscope:eqversion:6.5.10.6

Trust: 0.8

vendor:symantecmodel:proxysgscope:ltversion:6.7

Trust: 0.8

vendor:bluecoatmodel:proxysgscope:eqversion:6.7

Trust: 0.3

vendor:bluecoatmodel:proxysgscope:eqversion:6.6

Trust: 0.3

vendor:bluecoatmodel:proxysgscope:eqversion:6.5

Trust: 0.3

vendor:symantecmodel:proxysgscope:neversion:6.7.2.1

Trust: 0.3

vendor:symantecmodel:proxysgscope:neversion:6.5.10.6

Trust: 0.3

sources: BID: 102451 // JVNDB: JVNDB-2018-001361 // CNNVD: CNNVD-201703-1032 // NVD: CVE-2016-10256

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-10256
value: MEDIUM

Trust: 1.0

NVD: CVE-2016-10256
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201703-1032
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2016-10256
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

nvd@nist.gov: CVE-2016-10256
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: JVNDB: JVNDB-2018-001361 // CNNVD: CNNVD-201703-1032 // NVD: CVE-2016-10256

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2018-001361 // NVD: CVE-2016-10256

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201703-1032

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201703-1032

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-001361

PATCH
title:SA155url:https://www.symantec.com/security-center/network-protection-security-advisories/SA155
Trust: 0.8
title:Symantec ProxySG Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=155176
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-001361 // 
            
            
            
            CNNVD: CNNVD-201703-1032

EXTERNAL IDS
db:NVDid:CVE-2016-10256
Trust: 2.7
db:BIDid:102451
Trust: 1.9
db:SECTRACKid:1040138
Trust: 1.6
db:JVNDBid:JVNDB-2018-001361
Trust: 0.8
db:CNNVDid:CNNVD-201703-1032
Trust: 0.6
sources:
            
            
            BID: 102451 // 
            
            
            
            JVNDB: JVNDB-2018-001361 // 
            
            
            
            CNNVD: CNNVD-201703-1032 // 
            
            
            
            NVD: CVE-2016-10256

REFERENCES
url:http://www.securitytracker.com/id/1040138
Trust: 1.6
url:https://www.symantec.com/security-center/network-protection-security-advisories/sa155
Trust: 1.6
url:http://www.securityfocus.com/bid/102451
Trust: 1.6
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-10256
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2016-10256
Trust: 0.8
url:https://www.symantec.com/products/secure-web-gateway-proxy-sg-and-asg
Trust: 0.3
url:http://www.symantec.com
Trust: 0.3
sources:
            
            
            BID: 102451 // 
            
            
            
            JVNDB: JVNDB-2018-001361 // 
            
            
            
            CNNVD: CNNVD-201703-1032 // 
            
            
            
            NVD: CVE-2016-10256

CREDITS
Jakub Palaczynski and Pawel Bartunek.
Trust: 0.3
sources:
            
            
            BID: 102451

SOURCES
db:BIDid:102451
db:JVNDBid:JVNDB-2018-001361
db:CNNVDid:CNNVD-201703-1032
db:NVDid:CVE-2016-10256

LAST UPDATE DATE
2024-11-23T21:53:31.377000+00:00

SOURCES UPDATE DATE
db:BIDid:102451date:2018-01-09T00:00:00
db:JVNDBid:JVNDB-2018-001361date:2018-02-09T00:00:00
db:CNNVDid:CNNVD-201703-1032date:2021-06-28T00:00:00
db:NVDid:CVE-2016-10256date:2024-11-21T02:43:40.283

SOURCES RELEASE DATE
db:BIDid:102451date:2018-01-09T00:00:00
db:JVNDBid:JVNDB-2018-001361date:2018-02-09T00:00:00
db:CNNVDid:CNNVD-201703-1032date:2017-03-24T00:00:00
db:NVDid:CVE-2016-10256date:2018-01-10T02:29:31.833