VIR Vulnerability Intelligence Relay

CVE-2016-0781

medium
Published 2017-05-25 ยท Modified 2026-05-13
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
6.1

Description

The UAA OAuth approval pages in Cloud Foundry v208 to v231, Login-server v1.6 to v1.14, UAA v2.0.0 to v2.7.4.1, UAA v3.0.0 to v3.2.0, UAA-Release v2 to v7 and Pivotal Elastic Runtime 1.6.x versions prior to 1.6.20 are vulnerable to an XSS attack by specifying malicious java script content in either the OAuth scopes (SCIM groups) or SCIM group descriptions.

Predictions

Exploit likelihood
71%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ€” if you've already worked around this in production โ€” publish your fix to the community-verified tier.

โœš Propose a mitigation on Community โ†’ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Application impact
VendorProductVersionsFixed
cloudfoundrycloud_foundry_uaa_bosh2
cloudfoundrycloud_foundry_uaa_bosh3
cloudfoundrycloud_foundry_uaa_bosh4
cloudfoundrycloud_foundry_uaa_bosh5
cloudfoundrycloud_foundry_uaa_bosh6
cloudfoundrycloud_foundry_uaa_bosh7
pivotal_softwarecloud_foundry208
pivotal_softwarecloud_foundry209
pivotal_softwarecloud_foundry210
pivotal_softwarecloud_foundry211
pivotal_softwarecloud_foundry212
pivotal_softwarecloud_foundry213
pivotal_softwarecloud_foundry214
pivotal_softwarecloud_foundry215
pivotal_softwarecloud_foundry216
pivotal_softwarecloud_foundry217
pivotal_softwarecloud_foundry218
pivotal_softwarecloud_foundry219
pivotal_softwarecloud_foundry220
pivotal_softwarecloud_foundry221
pivotal_softwarecloud_foundry222
pivotal_softwarecloud_foundry223
pivotal_softwarecloud_foundry224
pivotal_softwarecloud_foundry225
pivotal_softwarecloud_foundry226
pivotal_softwarecloud_foundry227
pivotal_softwarecloud_foundry228
pivotal_softwarecloud_foundry229
pivotal_softwarecloud_foundry230
pivotal_softwarecloud_foundry231
pivotal_softwarecloud_foundry241
pivotal_softwarecloud_foundry_elastic_runtime1.6.0
pivotal_softwarecloud_foundry_elastic_runtime1.6.1
pivotal_softwarecloud_foundry_elastic_runtime1.6.2
pivotal_softwarecloud_foundry_elastic_runtime1.6.3
pivotal_softwarecloud_foundry_elastic_runtime1.6.4
pivotal_softwarecloud_foundry_elastic_runtime1.6.5
pivotal_softwarecloud_foundry_elastic_runtime1.6.6
pivotal_softwarecloud_foundry_elastic_runtime1.6.7
pivotal_softwarecloud_foundry_elastic_runtime1.6.8
pivotal_softwarecloud_foundry_elastic_runtime1.6.9
pivotal_softwarecloud_foundry_elastic_runtime1.6.10
pivotal_softwarecloud_foundry_elastic_runtime1.6.11
pivotal_softwarecloud_foundry_elastic_runtime1.6.12
pivotal_softwarecloud_foundry_elastic_runtime1.6.13
pivotal_softwarecloud_foundry_elastic_runtime1.6.14
pivotal_softwarecloud_foundry_elastic_runtime1.6.15
pivotal_softwarecloud_foundry_elastic_runtime1.6.16
pivotal_softwarecloud_foundry_elastic_runtime1.6.17
pivotal_softwarecloud_foundry_elastic_runtime1.6.18
pivotal_softwarecloud_foundry_elastic_runtime1.6.19
pivotal_softwarecloud_foundry_uaa{"endIncluding":"2.7.4.1"}
pivotal_softwarecloud_foundry_uaa3.0.0
pivotal_softwarecloud_foundry_uaa3.0.1
pivotal_softwarecloud_foundry_uaa3.1.0
pivotal_softwarecloud_foundry_uaa3.2.0
pivotal_softwarelogin-server-

References

CWEs

CWE-79

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.