CVE-2015-7676 - OpenCVE

Ipswitch MOVEit File Transfer (formerly DMZ) 8.1 and earlier, when configured to support file view on download, allows remote authenticated users to conduct cross-site scripting (XSS) attacks by uploading HTML files.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Ipswitch	Moveit Dmz

Configuration 1 [-]

cpe:2.3:a:ipswitch:moveit_dmz:*:*:*:*:*:*:*:*

References

Link	Resource
http://packetstormsecurity.com/files/135458/Ipswitch-MOVEit-DMZ-8.1-Persistent-Cross-Site-Scripting.html	Exploit
http://seclists.org/fulldisclosure/2016/Jan/95
http://www.securityfocus.com/bid/90574
https://profundis-labs.com/advisories/CVE-2015-7676.txt	Exploit

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2016-04-15T15:00:00

Updated: 2016-11-25T19:57:01

Reserved: 2015-10-02T00:00:00

Link: CVE-2015-7676

JSON object: View

NVD Information

Status : Modified

Published: 2016-04-15T15:59:01.080

Modified: 2016-11-28T19:44:27.677

Link: CVE-2015-7676

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-01-27T00:00:00", "descriptions": [{"lang": "en", "value": "Ipswitch MOVEit File Transfer (formerly DMZ) 8.1 and earlier, when configured to support file view on download, allows remote authenticated users to conduct cross-site scripting (XSS) attacks by uploading HTML files."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-11-25T19:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "20160127 Multiple security issues in MOVEit Managed File Transfer application", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2016/Jan/95"}, {"name": "90574", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/90574"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/135458/Ipswitch-MOVEit-DMZ-8.1-Persistent-Cross-Site-Scripting.html"}, {"tags": ["x_refsource_MISC"], "url": "https://profundis-labs.com/advisories/CVE-2015-7676.txt"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-7676", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Ipswitch MOVEit File Transfer (formerly DMZ) 8.1 and earlier, when configured to support file view on download, allows remote authenticated users to conduct cross-site scripting (XSS) attacks by uploading HTML files."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "20160127 Multiple security issues in MOVEit Managed File Transfer application", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2016/Jan/95"}, {"name": "90574", "refsource": "BID", "url": "http://www.securityfocus.com/bid/90574"}, {"name": "http://packetstormsecurity.com/files/135458/Ipswitch-MOVEit-DMZ-8.1-Persistent-Cross-Site-Scripting.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/135458/Ipswitch-MOVEit-DMZ-8.1-Persistent-Cross-Site-Scripting.html"}, {"name": "https://profundis-labs.com/advisories/CVE-2015-7676.txt", "refsource": "MISC", "url": "https://profundis-labs.com/advisories/CVE-2015-7676.txt"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-7676", "datePublished": "2016-04-15T15:00:00", "dateReserved": "2015-10-02T00:00:00", "dateUpdated": "2016-11-25T19:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ipswitch:moveit_dmz:*:*:*:*:*:*:*:*", "matchCriteriaId": "C8C09B13-29FD-4A22-A77F-83B9434DBE33", "versionEndIncluding": "8.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Ipswitch MOVEit File Transfer (formerly DMZ) 8.1 and earlier, when configured to support file view on download, allows remote authenticated users to conduct cross-site scripting (XSS) attacks by uploading HTML files."}, {"lang": "es", "value": "Ipswitch MOVEit File Transfer (anteriormente DMZ) 8.1 y versiones anteriores, cuando est\u00e1 configurado para soportar la vista del archivo en la descarga, permite a usuarios remotos autenticados llevar a cabo ataques de secuencias de comandos en sitios cruzados (XSS) subiendo archivos HTML."}], "id": "CVE-2015-7676", "lastModified": "2016-11-28T19:44:27.677", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-04-15T15:59:01.080", "references": [{"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://packetstormsecurity.com/files/135458/Ipswitch-MOVEit-DMZ-8.1-Persistent-Cross-Site-Scripting.html"}, {"source": "cve@mitre.org", "url": "http://seclists.org/fulldisclosure/2016/Jan/95"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/90574"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "https://profundis-labs.com/advisories/CVE-2015-7676.txt"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}