CVE-2016-1566
Publication date 2 February 2017
Last updated 24 July 2024
Ubuntu priority
Cvss 3 Severity Score
Cross-site scripting (XSS) vulnerability in the file browser in Guacamole 0.9.8 and 0.9.9, when file transfer is enabled to a location shared by multiple users, allows remote authenticated users to inject arbitrary web script or HTML via a crafted filename. NOTE: this vulnerability was fixed in guacamole.war on 2016-01-13, but the version number was not changed.
Status
Package | Ubuntu Release | Status |
---|---|---|
guacamole-client | ||
18.04 LTS bionic |
Not affected
|
|
16.04 LTS xenial |
Not affected
|
|
14.04 LTS trusty | Not in release | |
guacamole-server | ||
18.04 LTS bionic |
Not affected
|
|
16.04 LTS xenial |
Not affected
|
|
14.04 LTS trusty | Not in release | |
Notes
seth-arnold
It looks like the guacamole version numbers are useless: there are both broken versions 0.9.8 and 0.9.9 and fixed versions 0.9.8 and 0.9.9. They apparently make changes and republish with the same version number. Thus I'm being conservative and marking everything as affected.
ebarretto
Affects client only
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.4 · Medium |
Attack vector | Network |
Attack complexity | Low |
Privileges required | Low |
User interaction | Required |
Scope | Changed |
Confidentiality | Low |
Integrity impact | Low |
Availability impact | None |
Vector | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |