MEDIUM🇵🇱 Wersja polska

CVE-2016-9834

CVSS 6.1v3.0pub. 2017-06-07upd. 2026-05-13

An XSS vulnerability allows remote attackers to execute arbitrary client side script on vulnerable installations of Sophos Cyberoam firewall devices with firmware through 10.6.4. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of a request to the "LiveConnectionDetail.jsp" application. GET parameters "applicationname" and "username" are improperly sanitized allowing an attacker to inject arbitrary JavaScript into the page. This can be abused by an attacker to perform a cross-site scripting attack on the user. A vulnerable URI is /corporate/webpages/trafficdiscovery/LiveConnectionDetail.jsp.

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  • Sophos Cyberoam

    HW
    Sophos
    wszystkie wersje
  • Sophos Cyberoam Firmware

    OS
    Sophos
    ≤ 10.6.4
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
XSSFirewall
CWE
References

Related vulnerabilities

CVE-2019-17059CRITICAL9.8ten sam produkt

A shell injection vulnerability on the Sophos Cyberoam firewall appliance with CyberoamOS before 10.6.6 MR-6 a...

CVE-2023-1671CRITICAL9.8⚠ KEVten sam vendor

A pre-auth command injection vulnerability in the warn-proceed handler of Sophos Web Appliance older than vers...

CVE-2022-3236CRITICAL9.8⚠ KEVten sam vendor

A code injection vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sop...

CVE-2022-1040CRITICAL9.8⚠ KEVten sam vendor

An authentication bypass vulnerability in the User Portal and Webadmin allows a remote attacker to execute cod...

CVE-2020-29574CRITICAL9.8⚠ KEVten sam vendor

An SQL injection vulnerability in the WebAdmin of Cyberoam OS through 2020-12-04 allows unauthenticated attack...