OpenVAS Security Advisory (OVSA20160112)
Date: 13th January 2016
Product: Greenbone Security Assistant ≥ 6.0.0 and < 6.0.8
Vendor: OpenVAS <http://www.openvas.org/>
Risk: Low, CVSS 1.9 (AV:A/AC:M/Au:M/C:P/I:N/A:N)
It has been identified that Greenbone Security Assistant (GSA) is vulnerable to cross site scripting due to a improper handling of the parameters of the get_aggregate command. Given the attacker has access to a session token of the browser session, the cross site scripting can be executed. OpenVAS-7 is not affected.
As of the 13th January, the state of the vulnerabilities is believed to be as follows. Patches have been supplied by Greenbone Networks which successfully resolve this vulnerability. A new release of Greenbone Security Assistant for stable release OpenVAS-8 has been created which incorporates the patches.
OpenVAS recommends that the publicly available patches are applied. If building from source, then patches r24056 (for Greenbone Security Assistant 6.0.x of OpenVAS-8) should be obtained from the OpenVAS SVN repository. For trunk (beta status of OpenVAS-9) this was solved with r24055.
A fresh tarball containing the latest stable release of Greenbone Security Assistant 6.0 (OpenVAS-8) can be obtained from:
In the event that OpenVAS has been supplied as part of a distribution then the vendor or organisation concerned should be contacted for a patch.
On the 9th January 2016, Sebastian Neef of Internetwache.org reported the vulnerability. The next day, patches were applied and tests started. Tarballs released and announcement published on the 12th and 13th January.
January 20th 2016: MITRE assigned CVE-2016-1926.
OpenVAS would like to thank Sebastian Neef of Internetwache.org for the initial report.