CVE-2016-5765

medium

Published 2016-11-29 · Modified 2026-05-06

CVSS v3

6.5

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CVSS v2

4.3

VIR risk

6.5

Description

Administrative Server in Micro Focus Host Access Management and Security Server (MSS) and Reflection for the Web (RWeb) and Reflection Security Gateway (RSG) and Reflection ZFE (ZFE) allows remote unauthenticated attackers to read arbitrary files via a specially crafted URL that allows limited directory traversal. Applies to MSS 12.3 before 12.3.326 and MSS 12.2 before 12.2.342 and RSG 12.1 before 12.1.362 and RWeb 12.3 before 12.3.312 and RWeb 12.2 before 12.2.342 and RWeb 12.1 before 12.1.362 and ZFE 2.0.1 before 2.0.1.18 and ZFE 2.0.0 before 2.0.0.52 and ZFE 1.4.0 before 1.4.0.14.

Predictions

Exploit likelihood

75%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No vendor mitigations ingested yet for this CVE. The mitigation-content worker queues fetches as references arrive — check back in a few minutes, or see the references list below.

Application impact

Vendor	Product	Versions
microfocus	host_access_management_and_security_server	`12.2`
microfocus	host_access_management_and_security_server	`12.3`
microfocus	reflection_for_the_web	`12.1`
microfocus	reflection_for_the_web	`12.2`
microfocus	reflection_for_the_web	`12.3`
microfocus	reflection_security_gateway	`12.1`
microfocus	reflection_zfe	`1.4.0.14`
microfocus	reflection_zfe	`2.0.0.52`
microfocus	reflection_zfe	`2.0.1.18`

References

CWEs

CWE-22 CWE-200

Verify integrity in audit chain (admin only). AS-IS.