CVE-2016-8748 - OpenCVE

In Apache NiFi before 1.0.1 and 1.1.x before 1.1.1, there is a cross-site scripting vulnerability in connection details dialog when accessed by an authorized user. The user supplied text was not being properly handled when added to the DOM.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Apache	Nifi

Configuration 1 [-]

OR	cpe:2.3:a:apache:nifi::::::::
	cpe:2.3:a:apache:nifi:1.1.0:::::::*

References

Link	Resource
http://www.securityfocus.com/bid/95621	Third Party Advisory VDB Entry
https://nifi.apache.org/security.html#CVE-2016-8748	Issue Tracking Mitigation Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: apache

Published: 2016-12-19T00:00:00

Updated: 2018-01-26T10:57:01

Reserved: 2016-10-18T00:00:00

Link: CVE-2016-8748

JSON object: View

NVD Information

Status : Analyzed

Published: 2017-10-19T20:29:00.220

Modified: 2019-05-01T20:20:17.510

Link: CVE-2016-8748

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "Apache NiFi", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "1.0.0"}, {"status": "affected", "version": "1.1.0"}]}], "datePublic": "2016-12-19T00:00:00", "descriptions": [{"lang": "en", "value": "In Apache NiFi before 1.0.1 and 1.1.x before 1.1.1, there is a cross-site scripting vulnerability in connection details dialog when accessed by an authorized user. The user supplied text was not being properly handled when added to the DOM."}], "problemTypes": [{"descriptions": [{"description": "Information Disclosure", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-01-26T10:57:01", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"name": "95621", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/95621"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://nifi.apache.org/security.html#CVE-2016-8748"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "DATE_PUBLIC": "2016-12-19T00:00:00", "ID": "CVE-2016-8748", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache NiFi", "version": {"version_data": [{"version_value": "1.0.0"}, {"version_value": "1.1.0"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Apache NiFi before 1.0.1 and 1.1.x before 1.1.1, there is a cross-site scripting vulnerability in connection details dialog when accessed by an authorized user. The user supplied text was not being properly handled when added to the DOM."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Information Disclosure"}]}]}, "references": {"reference_data": [{"name": "95621", "refsource": "BID", "url": "http://www.securityfocus.com/bid/95621"}, {"name": "https://nifi.apache.org/security.html#CVE-2016-8748", "refsource": "CONFIRM", "url": "https://nifi.apache.org/security.html#CVE-2016-8748"}]}}}}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2016-8748", "datePublished": "2016-12-19T00:00:00", "dateReserved": "2016-10-18T00:00:00", "dateUpdated": "2018-01-26T10:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*", "matchCriteriaId": "6D823F3D-4DF7-4D4A-B9D2-612682054169", "versionEndIncluding": "1.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:nifi:1.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "01B8572D-CA8D-4A41-B94A-A393A22B5B9D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Apache NiFi before 1.0.1 and 1.1.x before 1.1.1, there is a cross-site scripting vulnerability in connection details dialog when accessed by an authorized user. The user supplied text was not being properly handled when added to the DOM."}, {"lang": "es", "value": "En Apache NiFi, en versiones anteriores a la 1.0.1 y versiones 1.1.x anteriores a la 1.1.1, hay una vulnerabilidad de Cross-Site Scripting (XSS) en el di\u00e1logo de detalles de conexi\u00f3n cuando accede un usuario autorizado. El texto proporcionado por el usuario no se gestionaba correctamente cuando se a\u00f1ad\u00eda al DOM."}], "id": "CVE-2016-8748", "lastModified": "2019-05-01T20:20:17.510", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-10-19T20:29:00.220", "references": [{"source": "security@apache.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/95621"}, {"source": "security@apache.org", "tags": ["Issue Tracking", "Mitigation", "Vendor Advisory"], "url": "https://nifi.apache.org/security.html#CVE-2016-8748"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}