CVE-2016-2058

MEDIUM

Xymon <4.3.25 - XSS

Title source: llm

Description

Multiple cross-site scripting (XSS) vulnerabilities in Xymon 4.1.x, 4.2.x, and 4.3.x before 4.3.25 allow (1) remote Xymon clients to inject arbitrary web script or HTML via a status-message, which is not properly handled in the "detailed status" page, or (2) remote authenticated users to inject arbitrary web script or HTML via an acknowledgement message, which is not properly handled in the "status" page.

References (4)

[Patch] https://sourceforge.net/p/xymon/code/7892/

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/537522/100/0/threaded

[Third Party Advisory] http://www.debian.org/security/2016/dsa-3495

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/135758/Xymon-4.3.x-Buffer-Overflow-Code-Execution-Information-Disclosure.html

Scores

CVSS v3 5.4

EPSS 0.0024

EPSS Percentile 47.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Classification

CWE

CWE-79

Status draft

Affected Products (44)

debian/debian_linux

xymon/xymon

xymon/xymon

xymon/xymon

xymon/xymon

xymon/xymon

xymon/xymon

xymon/xymon

xymon/xymon

xymon/xymon

xymon/xymon

xymon/xymon

xymon/xymon

xymon/xymon

xymon/xymon

... and 29 more

Timeline

Published Apr 13, 2016

Tracked Since Feb 18, 2026