CVE-2016-3150 Barco CVE debrief

Who should care

Organizations operating Barco ClickShare CSC-1, CSM-1, or CSE-200 devices should review this issue, especially if users rely on the device web interface or if the affected firmware is still deployed anywhere in the environment.

Technical summary

The supplied CVE description identifies an XSS weakness in wallpaper.php, which maps to CWE-79. The NVD record lists a CVSS v3.0 vector of CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating a remotely reachable issue that requires user interaction and can affect confidentiality and integrity at low levels. The CVE description names affected firmware thresholds for CSC-1, CSM-1, and CSE-200, while the NVD CPE criteria in the supplied corpus list CSC-1 firmware through 01.09.05.02 and CSE-200 firmware through 01.09.02.05, which should be checked carefully against vendor guidance before remediation planning.

Defensive priority

Medium. The issue is remotely reachable and can lead to script injection, but it requires user interaction and is not scored as affecting availability. Prioritize it for any exposed or business-critical ClickShare deployments.

Recommended defensive actions

• Inventory Barco ClickShare CSC-1, CSM-1, and CSE-200 devices and identify firmware currently installed.
• Upgrade affected devices to firmware at or above the fixed versions named in the CVE description: CSC-1 01.09.03, CSM-1 01.06.02, and CSE-200 01.03.02.
• Validate the target firmware against the supplied NVD CPE criteria as part of change planning, since the CVE description and NVD version ranges do not match exactly in this corpus.
• Review whether the device web interface is reachable from untrusted networks and limit access where operationally possible.
• After upgrading, verify that wallpaper.php and related web functions behave normally and check for unexpected script or HTML injection in device content.
• Monitor for suspicious client-side behavior or unexpected page content associated with the ClickShare interface until patching is completed.

Evidence notes

Evidence is limited to the supplied CVE/NVD corpus and linked references. The CVE description states XSS in wallpaper.php on Barco ClickShare CSC-1, CSM-1, and CSE-200 devices. The NVD record assigns CWE-79 and CVSS v3.0 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. There is a versioning discrepancy to note: the CVE description lists one set of affected firmware cutoffs, while the NVD CPE criteria in this corpus list different end-inclusive versions for CSC-1 and CSE-200, and no CSM-1 CPE entry is shown. No exploit code or vendor advisory text was used.

Official resources