Vulnerability Details : CVE-2017-3165
In Apache Brooklyn before 0.10.0, the REST server is vulnerable to cross-site scripting where one authenticated user can cause scripts to run in the browser of another user authorized to access the first user's resources. This is due to improper escaping of server-side content. There is known to be a proof-of-concept exploit using this vulnerability.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2017-3165
- cpe:2.3:a:apache:brooklyn:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-3165
0.18%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 55 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-3165
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.5
|
LOW | AV:N/AC:M/Au:S/C:N/I:P/A:N |
6.8
|
2.9
|
NIST | |
5.4
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
2.3
|
2.7
|
NIST |
CWE ids for CVE-2017-3165
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-3165
-
https://lists.apache.org/thread.html/5aa6b7583edbfc1f5653607003204326d9e27ef65e8af356c798b21c@%3Cdev.brooklyn.apache.org%3E
[SECURITY] CVE-2017-3165: Cross-site vulnerabilities in Apache Brooklyn - Pony MailMailing List;Vendor Advisory
-
https://brooklyn.apache.org/community/security/CVE-2017-3165.html
CVE-2017-3165: Cross-site vulnerabilities in Apache Brooklyn - Apache BrooklynExploit;Vendor Advisory
-
http://www.securityfocus.com/bid/96228
Apache Brooklyn Cross Site Request Forgery and Multiple Cross Site Scripting VulnerabilitiesThird Party Advisory;VDB Entry
Jump to