CVE-2016-0891

HIGH

EMC ViPR SRM < 3.6.4 - Cross-Site Request Forgery

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-0891. PoCs published by Han Sahin.

AI-analyzed exploit summary This is a proof-of-concept for a CSRF vulnerability in EMC M&R (Watch4net) that allows an attacker to create a new user with administrative privileges if the victim is logged in as an administrator. The exploit uses a hidden HTML form with JavaScript auto-submission to trigger the action.

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in administrative pages in EMC ViPR SRM before 3.7 allow remote attackers to hijack the authentication of administrators.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Han Sahin · htmlwebappsmultiple

https://www.exploit-db.com/exploits/39738

View Code ZIP pw:eip

This is a proof-of-concept for a CSRF vulnerability in EMC M&R (Watch4net) that allows an attacker to create a new user with administrative privileges if the victim is logged in as an administrator. The exploit uses a hidden HTML form with JavaScript auto-submission to trigger the action.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: EMC M&R (Watch4net) prior to version 3.7

Auth required

Prerequisites: Victim must be authenticated as an administrator · Victim must visit the malicious HTML page

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6

Core References

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/538207/100/0/threaded

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/39738/

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://www.securify.nl/advisory/SFY20141109/emc_m_r__watch4net__lacks_c%20ross_site_request_forgery_protection.html

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/136837/EMC-ViPR-SRM-Cross-Site-Request-Forgery.html

Third Party Advisory, VDB Entry mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2016/Apr/89

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://seclists.org/bugtraq/2016/Apr/106

Scores

CVSS v3 8.8

EPSS 0.0309

EPSS Percentile 87.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-352

Status published

Products (1)

emc/vipr_srm < 3.6.4

Published Apr 20, 2016

Tracked Since Feb 18, 2026