PatchSiren cyber security CVE debrief
CVE-2016-8356 Kabona Ab CVE debrief
CVE-2016-8356 is a cross-site scripting flaw in Kabona AB WebDatorCentral (WDC) before version 3.4.0. According to the CVE and NVD record, web server URL inputs were not sanitized correctly, which could allow XSS when an attacker can influence those inputs and a user processes the resulting content. NVD scores the issue 8.2 HIGH, reflecting network exposure, required user interaction, and potential impact to confidentiality and integrity.
- Vendor
- Kabona Ab
- Product
- CVE-2016-8356
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-13
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-13
- Advisory updated
- 2026-05-13
Who should care
Organizations running Kabona AB WebDatorCentral (WDC), especially deployments that have not been updated to version 3.4.0 or later. Security teams responsible for web application hardening, input validation, and browser-based attack surface should review any instance where user-supplied URLs are accepted or rendered.
Technical summary
The vulnerability is classified as CWE-79 (Cross-Site Scripting). NVD describes the issue as incorrect sanitization of web server URL inputs in WDC prior to version 3.4.0. The CVSS v3.0 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, indicating a remotely reachable issue that does not require privileges, but does require user interaction. The scope change and high confidentiality impact suggest attacker-controlled content could execute in a victim’s browser context and expose sensitive data within the application context.
Defensive priority
High. The vulnerability is internet-reachable in the CVSS model and can affect confidentiality significantly, so remediation should be prioritized for any exposed or user-facing WDC deployment.
Recommended defensive actions
- Upgrade Kabona AB WebDatorCentral (WDC) to version 3.4.0 or later, as the CVE states the issue affects versions prior to 3.4.0.
- Review all application paths that accept or display URL input and ensure strict server-side validation and output encoding are in place.
- Use context-appropriate escaping for HTML, attributes, and script contexts to prevent browser-side script execution.
- Validate whether any stored or reflected URL handling in WDC can be reached by untrusted users and restrict those inputs where possible.
- Check for signs of XSS abuse in logs, browser reports, and application telemetry around pages that process URL fields.
- Apply defense-in-depth controls such as a restrictive Content Security Policy where compatible with the application.
Evidence notes
Source material identifies the issue as a WebDatorCentral vulnerability affecting versions before 3.4.0, caused by unsanitized web server URL inputs and categorized as CWE-79. NVD assigns CVSS 3.0 8.2 HIGH with vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. Official and government references in the corpus include the CVE record, NVD detail page, and ICS-CERT advisory reference.
Official resources
-
CVE-2016-8356 CVE record
CVE.org
-
CVE-2016-8356 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, US Government Resource
CVE published 2017-02-13. Use the CVE publication date for timeline context; no later generation or review date should be treated as the issue date.