CVE-2016-1566
Published: 2 February 2017
Cross-site scripting (XSS) vulnerability in the file browser in Guacamole 0.9.8 and 0.9.9, when file transfer is enabled to a location shared by multiple users, allows remote authenticated users to inject arbitrary web script or HTML via a crafted filename. NOTE: this vulnerability was fixed in guacamole.war on 2016-01-13, but the version number was not changed.
Notes
Author | Note |
---|---|
seth-arnold | It looks like the guacamole version numbers are useless: there are both broken versions 0.9.8 and 0.9.9 and fixed versions 0.9.8 and 0.9.9. They apparently make changes and republish with the same version number. Thus I'm being conservative and marking everything as affected. |
ebarretto | Affects client only |
Priority
Status
Package | Release | Status |
---|---|---|
guacamole-client Launchpad, Ubuntu, Debian |
artful |
Ignored
(end of life)
|
bionic |
Not vulnerable
|
|
cosmic |
Not vulnerable
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
(trusty was not-affected [code not present])
|
|
upstream |
Needed
|
|
xenial |
Not vulnerable
(code not present)
|
|
yakkety |
Ignored
(end of life)
|
|
zesty |
Ignored
(end of life)
|
|
guacamole-server Launchpad, Ubuntu, Debian |
artful |
Ignored
(end of life)
|
bionic |
Not vulnerable
(code not present)
|
|
cosmic |
Not vulnerable
(code not present)
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
(trusty was not-affected [code not present])
|
|
upstream |
Needed
|
|
xenial |
Not vulnerable
(code not present)
|
|
yakkety |
Ignored
(end of life)
|
|
zesty |
Ignored
(end of life)
|
|
Patches: upstream: https://github.com/glyptodon/guacamole-client/commit/7da13129c432d1c0a577342a9bf23ca2bde9c367 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.4 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | Low |
User interaction | Required |
Scope | Changed |
Confidentiality | Low |
Integrity impact | Low |
Availability impact | None |
Vector | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |