CVE-2016-8527

MEDIUM NUCLEI

Aruba Airwave < 8.2.3.1 - Reflected Cross-Site Scripting in VisualRF Component

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-8527. PoCs published by SEC Consult. A Nuclei detection template is also available.

AI-analyzed exploit summary This is a detailed security advisory describing XML External Entity Injection (XXE) and Reflected Cross-Site Scripting (XSS) vulnerabilities in Aruba AirWave. It includes proof-of-concept examples for exploiting these vulnerabilities.

Description

Aruba Airwave all versions up to, but not including, 8.2.3.1 is vulnerable to a reflected cross-site scripting (XSS). The vulnerability is present in the VisualRF component of AirWave. By exploiting this vulnerability, an attacker who can trick a logged-in AirWave administrative user into clicking a link could obtain sensitive information, such as session cookies or passwords. The vulnerability requires that an administrative users click on the malicious link while currently logged into AirWave in the same browser.

Exploits (1)

exploitdb WRITEUP VERIFIED

by SEC Consult · textwebappsxml

https://www.exploit-db.com/exploits/41482

View Code ZIP pw:eip

This is a detailed security advisory describing XML External Entity Injection (XXE) and Reflected Cross-Site Scripting (XSS) vulnerabilities in Aruba AirWave. It includes proof-of-concept examples for exploiting these vulnerabilities.

Classification

Writeup 100%

Attack Type

Info Leak | Xss

Complexity

Moderate

Reliability

Reliable

Target: Aruba AirWave <=8.2.3

Auth required

Prerequisites: Access to the Aruba AirWave application · Low-privileged user account

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Aruba Airwave <8.2.3.1 - Cross-Site Scripting

MEDIUMby pikpikcu

References (3)

Core 3

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/96495

Vendor Advisory x_refsource_confirm

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-001.txt

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/41482/

Scores

CVSS v3 6.1

EPSS 0.1316

EPSS Percentile 95.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

hp/airwave < 8.2.3.1

Published Aug 06, 2018

Tracked Since Feb 18, 2026