Vulnerability CVE-2016-5761


Published: 2017-04-20   Modified: 2017-04-25

Description:
Cross-site scripting (XSS) vulnerability in Novell GroupWise before 2014 R2 Service Pack 1 Hot Patch 1 allows remote attackers to inject arbitrary web script or HTML via a crafted email.

See advisories in our WLB2 database:
Topic
Author
Date
Med.
Micro Focus GroupWise 2014 R2 (<=SP1) Multiple vulnerabilities
SEC Consult
25.08.2016

Vendor: Novell
Product: Groupwise 
Version: 2014_r2; 2014;

CVSS2 => (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

 References:
http://packetstormsecurity.com/files/138503/Micro-Focus-GroupWise-Cross-Site-Scripting-Overflows.html
http://seclists.org/fulldisclosure/2016/Aug/123
http://www.securityfocus.com/archive/1/archive/1/539296/100/0/threaded
http://www.securityfocus.com/bid/92645
https://www.novell.com/support/kb/doc.php?id=7017974
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20160825-0_Micro_Focus_GroupWise_Multiple_vulnerabilities_v10.txt

Related CVE
CVE-2015-5219
The ULOGTOD function in ntp.d in SNTP before 4.2.7p366 does not properly perform type conversions from a precision value to a double, which allows remote attackers to cause a denial of service (infinite loop) via a crafted NTP packet.
CVE-2017-8932
A bug in the standard library ScalarMult implementation of curve P-256 for amd64 architectures in Go before 1.7.6 and 1.8.x before 1.8.2 causes incorrect results to be generated for specific input points. An adaptive attack can be mounted to progress...
CVE-2017-1000366
glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack, causing them to alias, potentially resulting in arbitrary code execution. Please note that additional hardening changes have been made t...
CVE-2016-9961
game-music-emu before 0.6.1 mishandles unspecified integer values.
CVE-2016-9960
game-music-emu before 0.6.1 allows local users to cause a denial of service (divide by zero and process crash).
CVE-2017-8386
git-shell in git before 2.4.12, 2.5.x before 2.5.6, 2.6.x before 2.6.7, 2.7.x before 2.7.5, 2.8.x before 2.8.5, 2.9.x before 2.9.4, 2.10.x before 2.10.3, 2.11.x before 2.11.2, and 2.12.x before 2.12.3 might allow remote authenticated users to gain pr...
CVE-2016-9842
The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers.
CVE-2016-9843
The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation.

Copyright 2017, cxsecurity.com