CVE-2016-8580

critical

Published 2016-10-28 · Modified 2026-05-06

CVSS v3

9.8

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2

7.5

VIR risk

9.8

Description

PHP object injection vulnerabilities exist in multiple widget files in AlienVault OSSIM and USM before 5.3.2. These vulnerabilities allow arbitrary PHP code execution via magic methods in included classes.

Predictions

Exploit likelihood

97%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://www.alienvault.com/forums/discussion/7766/security-advisory-alienvault-5-3-2-address-70-vulnerabilities

Application impact

Vendor	Product	Versions	Fixed
alienvault	open_source_security_information_and_event_management	`{"endIncluding":"5.3.1"}`
alienvault	unified_security_management	`{"endIncluding":"5.3.1"}`

References

http://www.securityfocus.com/bid/93864
https://www.alienvault.com/forums/discussion/7766/security-advisory-alienvault-5-3-2-address-70-vulnerabilities
https://www.exploit-db.com/exploits/40682/
http://www.securityfocus.com/bid/93864
https://www.alienvault.com/forums/discussion/7766/security-advisory-alienvault-5-3-2-address-70-vulnerabilities
https://www.exploit-db.com/exploits/40682/

CWEs

CWE-284

Verify integrity in audit chain (admin only). AS-IS.