Vulnerability Description
An XSS vulnerability allows remote attackers to execute arbitrary client side script on vulnerable installations of Sophos Cyberoam firewall devices with firmware through 10.6.4. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of a request to the "LiveConnectionDetail.jsp" application. GET parameters "applicationname" and "username" are improperly sanitized allowing an attacker to inject arbitrary JavaScript into the page. This can be abused by an attacker to perform a cross-site scripting attack on the user. A vulnerable URI is /corporate/webpages/trafficdiscovery/LiveConnectionDetail.jsp.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Sophos | Cyberoam Firmware | <= 10.6.4 |
| Sophos | Cyberoam | - |
Related Weaknesses (CWE)
References
- http://seclists.org/bugtraq/2017/Jun/4Mailing ListThird Party AdvisoryVDB Entry
- http://seclists.org/bugtraq/2017/Jun/4Mailing ListThird Party AdvisoryVDB Entry
FAQ
What is CVE-2016-9834?
CVE-2016-9834 is a vulnerability with a CVSS score of 6.1 (MEDIUM). An XSS vulnerability allows remote attackers to execute arbitrary client side script on vulnerable installations of Sophos Cyberoam firewall devices with firmware through 10.6.4. User interaction is r...
How severe is CVE-2016-9834?
CVE-2016-9834 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-9834?
Check the references section above for vendor advisories and patch information. Affected products include: Sophos Cyberoam Firmware, Sophos Cyberoam.