CVE-2016-1599 - Vulnerability Details

Vendors	Products
Microfocus	Self Service Password Reset

Link	Providers
http://www.securityfocus.com/bid/96837
https://bugzilla.netiq.com/show_bug.cgi?id=967461
https://www.netiq.com/support/kb/doc.php?id=7017399

Show plain JSON

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-03-22T00:00:00", "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in NetIQ Self Service Password Reset (SSPR) 2.x and 3.x before 3.3.1 HF2 allows remote attackers to inject arbitrary web script or HTML via a crafted URL."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-01-06T16:15:38", "orgId": "f81092c5-7f14-476d-80dc-24857f90be84", "shortName": "microfocus"}, "references": [{"name": "96837", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/96837"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.netiq.com/support/kb/doc.php?id=7017399"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.netiq.com/show_bug.cgi?id=967461"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@microfocus.com", "ID": "CVE-2016-1599", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Cross-site scripting (XSS) vulnerability in NetIQ Self Service Password Reset (SSPR) 2.x and 3.x before 3.3.1 HF2 allows remote attackers to inject arbitrary web script or HTML via a crafted URL."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "96837", "refsource": "BID", "url": "http://www.securityfocus.com/bid/96837"}, {"name": "https://www.netiq.com/support/kb/doc.php?id=7017399", "refsource": "CONFIRM", "url": "https://www.netiq.com/support/kb/doc.php?id=7017399"}, {"name": "https://bugzilla.netiq.com/show_bug.cgi?id=967461", "refsource": "CONFIRM", "url": "https://bugzilla.netiq.com/show_bug.cgi?id=967461"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T23:02:11.676Z"}, "title": "CVE Program Container", "references": [{"name": "96837", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/96837"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.netiq.com/support/kb/doc.php?id=7017399"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.netiq.com/show_bug.cgi?id=967461"}]}]}, "cveMetadata": {"assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84", "assignerShortName": "microfocus", "cveId": "CVE-2016-1599", "datePublished": "2016-03-24T01:00:00", "dateReserved": "2016-01-12T00:00:00", "dateUpdated": "2024-08-05T23:02:11.676Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{

containers : { »

cna : { »

affected : [ »

0 : { »

product : n/a (string)

vendor : n/a (string)

versions : [ »

0 : { »

status : affected (string)

version : n/a (string)

}

]

}

]

datePublic : 2016-03-22T00:00:00 (string)

descriptions : [ »

0 : { »

lang : en (string)

value : Cross-site scripting (XSS) vulnerability in NetIQ Self Service Password Reset (SSPR) 2.x and 3.x before 3.3.1 HF2 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

description : n/a (string)

lang : en (string)

type : text (string)

}

]

}

]

providerMetadata : { »

dateUpdated : 2021-01-06T16:15:38 (string)

orgId : f81092c5-7f14-476d-80dc-24857f90be84 (string)

shortName : microfocus (string)

}

references : [ »

0 : { »

name : 96837 (string)

tags : [ »

0 : vdb-entry (string)

1 : x_refsource_BID (string)

]

url : http://www.securityfocus.com/bid/96837 (string)

}

1 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

]

url : https://www.netiq.com/support/kb/doc.php?id=7017399 (string)

}

2 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

]

url : https://bugzilla.netiq.com/show_bug.cgi?id=967461 (string)

}

]

x_legacyV4Record : { »

CVE_data_meta : { »

ASSIGNER : security@microfocus.com (string)

ID : CVE-2016-1599 (string)

STATE : PUBLIC (string)

}

affects : { »

vendor : { »

vendor_data : [ »

0 : { »

product : { »

product_data : [ »

0 : { »

product_name : n/a (string)

version : { »

version_data : [ »

0 : { »

version_value : n/a (string)

}

]

}

]

}

vendor_name : n/a (string)

}

]

}

data_format : MITRE (string)

data_type : CVE (string)

data_version : 4.0 (string)

description : { »

description_data : [ »

0 : { »

lang : eng (string)

value : Cross-site scripting (XSS) vulnerability in NetIQ Self Service Password Reset (SSPR) 2.x and 3.x before 3.3.1 HF2 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. (string)

}

]

}

problemtype : { »

problemtype_data : [ »

0 : { »

description : [ »

0 : { »

lang : eng (string)

value : n/a (string)

}

]

}

]

}

references : { »

reference_data : [ »

0 : { »

name : 96837 (string)

refsource : BID (string)

url : http://www.securityfocus.com/bid/96837 (string)

}

1 : { »

name : https://www.netiq.com/support/kb/doc.php?id=7017399 (string)

refsource : CONFIRM (string)

url : https://www.netiq.com/support/kb/doc.php?id=7017399 (string)

}

2 : { »

name : https://bugzilla.netiq.com/show_bug.cgi?id=967461 (string)

refsource : CONFIRM (string)

url : https://bugzilla.netiq.com/show_bug.cgi?id=967461 (string)

}

]

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-05T23:02:11.676Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

name : 96837 (string)

tags : [ »

0 : vdb-entry (string)

1 : x_refsource_BID (string)

2 : x_transferred (string)

]

url : http://www.securityfocus.com/bid/96837 (string)

}

1 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

1 : x_transferred (string)

]

url : https://www.netiq.com/support/kb/doc.php?id=7017399 (string)

}

2 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

1 : x_transferred (string)

]

url : https://bugzilla.netiq.com/show_bug.cgi?id=967461 (string)

}

]

}

]

}

cveMetadata : { »

assignerOrgId : f81092c5-7f14-476d-80dc-24857f90be84 (string)

assignerShortName : microfocus (string)

cveId : CVE-2016-1599 (string)

datePublished : 2016-03-24T01:00:00 (string)

dateReserved : 2016-01-12T00:00:00 (string)

dateUpdated : 2024-08-05T23:02:11.676Z (string)

state : PUBLISHED (string)

}

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microfocus:self_service_password_reset:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "1920EF32-30AB-4515-B455-4B24C33A4B9F", "vulnerable": true}, {"criteria": "cpe:2.3:a:microfocus:self_service_password_reset:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "CC4ECB5D-4DC6-497D-A051-D48F22E54A43", "vulnerable": true}, {"criteria": "cpe:2.3:a:microfocus:self_service_password_reset:3.1:*:*:*:*:*:*:*", "matchCriteriaId": "6ABCD7C5-CC40-474F-BC43-6719E202B99D", "vulnerable": true}, {"criteria": "cpe:2.3:a:microfocus:self_service_password_reset:3.2:*:*:*:*:*:*:*", "matchCriteriaId": "131BD0F1-0BBE-4086-B63B-3A6B7BECDF00", "vulnerable": true}, {"criteria": "cpe:2.3:a:microfocus:self_service_password_reset:3.3:*:*:*:*:*:*:*", "matchCriteriaId": "18D790BB-2BAF-4F09-ABC9-6A549443D219", "vulnerable": true}, {"criteria": "cpe:2.3:a:microfocus:self_service_password_reset:3.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "41AD519C-CA7F-41F8-9BA5-2B1A3D69FCF7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in NetIQ Self Service Password Reset (SSPR) 2.x and 3.x before 3.3.1 HF2 allows remote attackers to inject arbitrary web script or HTML via a crafted URL."}, {"lang": "es", "value": "Vulnerabilidad de XSS en NetIQ Self Service Password Reset (SSPR) 2.x y 3.x en versiones anteriores a 3.3.1 HF2 permite a atacantes remotos inyectar texto web arbitrario o HTML a trav\u00e9s de una URL manipulada."}], "id": "CVE-2016-1599", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-03-24T01:59:04.370", "references": [{"source": "security@opentext.com", "url": "http://www.securityfocus.com/bid/96837"}, {"source": "security@opentext.com", "url": "https://bugzilla.netiq.com/show_bug.cgi?id=967461"}, {"source": "security@opentext.com", "url": "https://www.netiq.com/support/kb/doc.php?id=7017399"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/96837"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://bugzilla.netiq.com/show_bug.cgi?id=967461"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.netiq.com/support/kb/doc.php?id=7017399"}], "sourceIdentifier": "security@opentext.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:microfocus:self_service_password_reset:2.0:*:*:*:*:*:*:* (string)

matchCriteriaId : 1920EF32-30AB-4515-B455-4B24C33A4B9F (string)

vulnerable : true (boolean)

}

1 : { »

criteria : cpe:2.3:a:microfocus:self_service_password_reset:3.0:*:*:*:*:*:*:* (string)

matchCriteriaId : CC4ECB5D-4DC6-497D-A051-D48F22E54A43 (string)

vulnerable : true (boolean)

}

2 : { »

criteria : cpe:2.3:a:microfocus:self_service_password_reset:3.1:*:*:*:*:*:*:* (string)

matchCriteriaId : 6ABCD7C5-CC40-474F-BC43-6719E202B99D (string)

vulnerable : true (boolean)

}

3 : { »

criteria : cpe:2.3:a:microfocus:self_service_password_reset:3.2:*:*:*:*:*:*:* (string)

matchCriteriaId : 131BD0F1-0BBE-4086-B63B-3A6B7BECDF00 (string)

vulnerable : true (boolean)

}

4 : { »

criteria : cpe:2.3:a:microfocus:self_service_password_reset:3.3:*:*:*:*:*:*:* (string)

matchCriteriaId : 18D790BB-2BAF-4F09-ABC9-6A549443D219 (string)

vulnerable : true (boolean)

}

5 : { »

criteria : cpe:2.3:a:microfocus:self_service_password_reset:3.3.1:*:*:*:*:*:*:* (string)

matchCriteriaId : 41AD519C-CA7F-41F8-9BA5-2B1A3D69FCF7 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

]

cveTags : [ *empty* ]

descriptions : [ »

0 : { »

lang : en (string)

value : Cross-site scripting (XSS) vulnerability in NetIQ Self Service Password Reset (SSPR) 2.x and 3.x before 3.3.1 HF2 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. (string)

}

1 : { »

lang : es (string)

value : Vulnerabilidad de XSS en NetIQ Self Service Password Reset (SSPR) 2.x y 3.x en versiones anteriores a 3.3.1 HF2 permite a atacantes remotos inyectar texto web arbitrario o HTML a través de una URL manipulada. (string)

}

]

id : CVE-2016-1599 (string)

lastModified : 2025-04-12T10:46:40.837 (string)

metrics : { »

cvssMetricV2 : [ »

0 : { »

acInsufInfo : false (boolean)

baseSeverity : MEDIUM (string)

cvssData : { »

accessComplexity : MEDIUM (string)

accessVector : NETWORK (string)

authentication : NONE (string)

availabilityImpact : NONE (string)

baseScore : 4.3 (number)

confidentialityImpact : NONE (string)

integrityImpact : PARTIAL (string)

vectorString : AV:N/AC:M/Au:N/C:N/I:P/A:N (string)

version : 2.0 (string)

}

exploitabilityScore : 8.6 (number)

impactScore : 2.9 (number)

obtainAllPrivilege : false (boolean)

obtainOtherPrivilege : false (boolean)

obtainUserPrivilege : false (boolean)

source : nvd@nist.gov (string)

type : Primary (string)

userInteractionRequired : true (boolean)

}

]

cvssMetricV30 : [ »

0 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : NONE (string)

baseScore : 6.1 (number)

baseSeverity : MEDIUM (string)

confidentialityImpact : LOW (string)

integrityImpact : LOW (string)

privilegesRequired : NONE (string)

scope : CHANGED (string)

userInteraction : REQUIRED (string)

vectorString : CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (string)

version : 3.0 (string)

}

exploitabilityScore : 2.8 (number)

impactScore : 2.7 (number)

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

published : 2016-03-24T01:59:04.370 (string)

references : [ »

0 : { »

source : security@opentext.com (string)

url : http://www.securityfocus.com/bid/96837 (string)

}

1 : { »

source : security@opentext.com (string)

url : https://bugzilla.netiq.com/show_bug.cgi?id=967461 (string)

}

2 : { »

source : security@opentext.com (string)

url : https://www.netiq.com/support/kb/doc.php?id=7017399 (string)

}

3 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : http://www.securityfocus.com/bid/96837 (string)

}

4 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://bugzilla.netiq.com/show_bug.cgi?id=967461 (string)

}

5 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://www.netiq.com/support/kb/doc.php?id=7017399 (string)

}

]

sourceIdentifier : security@opentext.com (string)

vulnStatus : Deferred (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-79 (string)

}

]

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object