PatchSiren cyber security CVE debrief
CVE-2016-1566 Apache CVE debrief
CVE-2016-1566 is a stored cross-site scripting issue in the Guacamole file browser when file transfer is enabled to a location shared by multiple users. An authenticated remote user can inject arbitrary web script or HTML through a crafted filename, creating a browser-side attack surface for other users of the shared location. The vulnerability was fixed in guacamole.war on 2016-01-13, but the version number was not changed, so version-only checks can miss the remediation.
- Vendor
- Apache
- Product
- CVE-2016-1566
- CVSS
- MEDIUM 5.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-02
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-02
- Advisory updated
- 2026-05-13
Who should care
Administrators and operators of Apache Guacamole deployments, especially environments running 0.9.8 or 0.9.9 with file transfer enabled to shared locations used by multiple users.
Technical summary
NVD classifies the issue as CWE-79 (cross-site scripting) with CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerable behavior is in the file browser: when file transfer is enabled to a shared location, a crafted filename can be rendered in a way that allows stored web script or HTML injection. Because exploitation requires authenticated access and user interaction, the severity is medium, but shared multi-user deployments increase practical risk.
Defensive priority
Medium priority overall; higher priority for shared, multi-user Guacamole deployments that enable file transfer to common locations.
Recommended defensive actions
- Confirm whether your deployed guacamole.war includes the 2016-01-13 fix, since the version number was not changed.
- Upgrade or redeploy Guacamole to a build that contains the stored XSS fix; do not rely on the visible version string alone.
- If file transfer to shared locations is not required, disable it or scope it to per-user locations instead of shared directories.
- Restrict authenticated user permissions so only trusted users can upload or transfer files into shared areas.
- Review application output handling for filenames in the file browser and ensure patched behavior is present in all deployed instances.
Evidence notes
The corpus shows CVE publication on 2017-02-02 and a later metadata modification on 2026-05-13; those are disclosure/record dates, not the issue date. NVD lists affected CPEs for apache:guacamole 0.9.8 and 0.9.9 and assigns CWE-79 with CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The referenced advisory states the issue is a stored XSS in the file browser, occurs when file transfer is enabled to a shared location, and was fixed in guacamole.war on 2016-01-13 without a version-number change.
Official resources
-
CVE-2016-1566 CVE record
CVE.org
-
CVE-2016-1566 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
Publicly disclosed in the NVD record on 2017-02-02; the referenced advisory indicates the fix had already been applied to guacamole.war on 2016-01-13, but the version number did not change.