CVE-2016-4946

MEDIUM

Cloudera Hue < 3.9.0 - XSS

Title source: rule

Description

Multiple cross-site scripting (XSS) vulnerabilities in Cloudera HUE 3.9.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) First name or (2) Last name field in the HUE Users page.

References (2)

[Third Party Advisory] http://2016.hack.lu/archive/2016/Wavestone%20-%20Hack.lu%202016%20-%20Hadoop%20safari%20-%20Hunting%20for%20vulnerabilities%20-%20v1.0.pdf

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/93881

Scores

CVSS v3 6.1

EPSS 0.0020

EPSS Percentile 41.3%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Classification

CWE

CWE-79

Status published

Affected Products (2)

cloudera/hue < 3.9.0

n/a/n/a

Timeline

Published Mar 07, 2017

Tracked Since Feb 18, 2026