Vulnerability Details : CVE-2016-7251
Cross-site scripting (XSS) vulnerability in the MDS API in Microsoft SQL Server 2016 allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka "MDS API XSS Vulnerability."
Vulnerability category: Cross site scripting (XSS)
Threat overview for CVE-2016-7251
Top countries where our scanners detected CVE-2016-7251
Top open port discovered on systems with this issue
1433
IPs affected by CVE-2016-7251 41,149
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2016-7251!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2016-7251
Probability of exploitation activity in the next 30 days: 3.70%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 91 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2016-7251
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
6.1
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST |
CWE ids for CVE-2016-7251
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-7251
-
http://www.securityfocus.com/bid/94043
Microsoft SQL Server Master Data Services CVE-2016-7251 Cross Site Scripting Vulnerability
-
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-136
Microsoft Security Bulletin MS16-136 - Important | Microsoft Docs
-
http://www.securitytracker.com/id/1037250
Microsoft SQL Server Flaws Let Remote Users Conduct Cross-Site Scripting Attacks and Remote Authenticated Users Obtain Potentially Sensitive Information and Gain Elevated Privileges - SecurityTracker
Products affected by CVE-2016-7251
- cpe:2.3:a:microsoft:sql_server:2016:*:*:*:*:*:*:*