CVE-2016-6209

Table of Contents

Impact:
Moderate
Public Date:
2016-06-09
CWE:
CWE-79
Bugzilla:
1346217: CVE-2016-6209 nagios: Reflected XSS vulnerability and possible phishing vector
A user supplied GET parameter is used to create the value used as the src value of an iframe displayed on all pages. It allows for CSRF and javascript insertion techniques among others. An attacker could forge a malicious URL that could include javascript execution in the main browser frame context, force the target to view a malicious web page (client side) or take advantage of concurrent cookies / sessions and perform a CSRF attack against other openstack components such as horizon.

Find out more about CVE-2016-6209 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v2 metrics

NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.

Base Score 4.3
Base Metrics AV:N/AC:M/Au:N/C:N/I:P/A:N
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact None
Integrity Impact Partial
Availability Impact None

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Affected Packages State

Platform Package State
Red Hat Mobile Application Platform On-Premise 4.2.0 nagios Not affected
Red Hat Mobile Application Platform On-Premise 4.1.0 nagios Will not fix
Red Hat Gluster Storage 3.1 nagios Will not fix
Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 nagios Will not fix
Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 nagios Will not fix
Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) nagios Will not fix
Unless explicitly stated as not affected, all previous versions of packages in any minor update stream of a product listed here should be assumed vulnerable, although may not have been subject to full analysis.
Last Modified