CVE-2016-0781

EPSS 0.27%
Published 25.05.2017 17:29:00
Last modified 20.04.2025 01:37:25
Source security_alert@emc.com
Teams watchlist Login
Open Login

The UAA OAuth approval pages in Cloud Foundry v208 to v231, Login-server v1.6 to v1.14, UAA v2.0.0 to v2.7.4.1, UAA v3.0.0 to v3.2.0, UAA-Release v2 to v7 and Pivotal Elastic Runtime 1.6.x versions prior to 1.6.20 are vulnerable to an XSS attack by specifying malicious java script content in either the OAuth scopes (SCIM groups) or SCIM group descriptions.

Affected products Warnungen 0 Metrics 3 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Cloudfoundry ≫ Cloud Foundry Uaa Bosh Version2

Cloudfoundry ≫ Cloud Foundry Uaa Bosh Version3

Cloudfoundry ≫ Cloud Foundry Uaa Bosh Version4

Cloudfoundry ≫ Cloud Foundry Uaa Bosh Version5

Cloudfoundry ≫ Cloud Foundry Uaa Bosh Version6

Cloudfoundry ≫ Cloud Foundry Uaa Bosh Version7

Pivotal Software ≫ Cloud Foundry Version208

Pivotal Software ≫ Cloud Foundry Version209

Pivotal Software ≫ Cloud Foundry Version210

Pivotal Software ≫ Cloud Foundry Version211

Pivotal Software ≫ Cloud Foundry Version212

Pivotal Software ≫ Cloud Foundry Version213

Pivotal Software ≫ Cloud Foundry Version214

Pivotal Software ≫ Cloud Foundry Version215

Pivotal Software ≫ Cloud Foundry Version216

Pivotal Software ≫ Cloud Foundry Version217

Pivotal Software ≫ Cloud Foundry Version218

Pivotal Software ≫ Cloud Foundry Version219

Pivotal Software ≫ Cloud Foundry Version220

Pivotal Software ≫ Cloud Foundry Version221

Pivotal Software ≫ Cloud Foundry Version222

Pivotal Software ≫ Cloud Foundry Version223

Pivotal Software ≫ Cloud Foundry Version224

Pivotal Software ≫ Cloud Foundry Version225

Pivotal Software ≫ Cloud Foundry Version226

Pivotal Software ≫ Cloud Foundry Version227

Pivotal Software ≫ Cloud Foundry Version228

Pivotal Software ≫ Cloud Foundry Version229

Pivotal Software ≫ Cloud Foundry Version230

Pivotal Software ≫ Cloud Foundry Version231

Pivotal Software ≫ Cloud Foundry Version241

Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.0

Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.1

Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.2

Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.3

Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.4

Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.5

Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.6

Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.7

Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.8

Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.9

Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.10

Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.11

Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.12

Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.13

Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.14

Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.15

Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.16

Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.17

Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.18

Pivotal Software ≫ Cloud Foundry Elastic Runtime Version1.6.19

Pivotal Software ≫ Cloud Foundry Uaa Version <= 2.7.4.1

Pivotal Software ≫ Cloud Foundry Uaa Version3.0.0

Pivotal Software ≫ Cloud Foundry Uaa Version3.0.1

Pivotal Software ≫ Cloud Foundry Uaa Version3.1.0

Pivotal Software ≫ Cloud Foundry Uaa Version3.2.0

Pivotal Software ≫ Login-server Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.27%	0.471

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://pivotal.io/security/cve-2016-0781

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2016-0781

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2016-0781

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2016-0781

EUVD