Vulnerability Description
The UAA OAuth approval pages in Cloud Foundry v208 to v231, Login-server v1.6 to v1.14, UAA v2.0.0 to v2.7.4.1, UAA v3.0.0 to v3.2.0, UAA-Release v2 to v7 and Pivotal Elastic Runtime 1.6.x versions prior to 1.6.20 are vulnerable to an XSS attack by specifying malicious java script content in either the OAuth scopes (SCIM groups) or SCIM group descriptions.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cloudfoundry | Cloud Foundry Uaa Bosh | 2 |
| Pivotal Software | Cloud Foundry | 208 |
| Pivotal Software | Cloud Foundry Elastic Runtime | 1.6.0 |
| Pivotal Software | Cloud Foundry Uaa | <= 2.7.4.1 |
| Pivotal Software | Login-Server | - |
Related Weaknesses (CWE)
References
- https://pivotal.io/security/cve-2016-0781Vendor Advisory
- https://pivotal.io/security/cve-2016-0781Vendor Advisory
FAQ
What is CVE-2016-0781?
CVE-2016-0781 is a vulnerability with a CVSS score of 6.1 (MEDIUM). The UAA OAuth approval pages in Cloud Foundry v208 to v231, Login-server v1.6 to v1.14, UAA v2.0.0 to v2.7.4.1, UAA v3.0.0 to v3.2.0, UAA-Release v2 to v7 and Pivotal Elastic Runtime 1.6.x versions pr...
How severe is CVE-2016-0781?
CVE-2016-0781 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-0781?
Check the references section above for vendor advisories and patch information. Affected products include: Cloudfoundry Cloud Foundry Uaa Bosh, Pivotal Software Cloud Foundry, Pivotal Software Cloud Foundry Elastic Runtime, Pivotal Software Cloud Foundry Uaa, Pivotal Software Login-Server.