Feed aggregator

Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability Affecting Cisco Products

Cisco Security Advisories - Fri, 2017-03-10 17:30
On March 6, 2017, Apache disclosed a vulnerability in the Jakarta multipart parser used in Apache Struts2 that could allow an attacker to execute commands remotely on the targeted system using a crafted Content-Type header value.

This vulnerability has been assigned CVE-ID CVE-2017-5638.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170310-struts2 On March 6, 2017, Apache disclosed a vulnerability in the Jakarta multipart parser used in Apache Struts2 that could allow an attacker to execute commands remotely on the targeted system using a crafted Content-Type header value.

This vulnerability has been assigned CVE-ID CVE-2017-5638.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170310-struts2
Security Impact Rating: Critical
CVE: CVE-2017-5638
Categories: Security Alerts

Cisco Email Security Appliance SMTP Cross-Site Scripting Vulnerability

Cisco Security Advisories - Thu, 2017-03-02 18:42
A vulnerability in the web-based management interface of Cisco Email Security Appliance (ESA) Switches and Content Security Management Appliance (SMA) could allow an unauthenticated, remote attacker to conduct a persistent cross-site scripting (XSS) attack against a user of the affected interface on an affected device.

The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information.

For additional information about cross-site scripting attacks and the methods used to exploit these vulnerabilities, see the Cisco Applied Mitigation Bulletin Understanding Cross-Site Scripting (XSS) Threat Vectors and the OWASP reference page Cross-site Scripting (XSS).

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-esa1 A vulnerability in the web-based management interface of Cisco Email Security Appliance (ESA) Switches and Content Security Management Appliance (SMA) could allow an unauthenticated, remote attacker to conduct a persistent cross-site scripting (XSS) attack against a user of the affected interface on an affected device.

The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information.

For additional information about cross-site scripting attacks and the methods used to exploit these vulnerabilities, see the Cisco Applied Mitigation Bulletin Understanding Cross-Site Scripting (XSS) Threat Vectors and the OWASP reference page Cross-site Scripting (XSS).

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-esa1
Security Impact Rating: Medium
CVE: CVE-2016-9202
Categories: Security Alerts

Cisco Prime Infrastructure Cross-Site Scripting Vulnerability

Cisco Security Advisories - Wed, 2017-03-01 14:00
A vulnerability in the HTTP web-based management interface of Cisco Prime Infrastructure could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface of the affected system.

The vulnerability is due to insufficient input validation of a user-supplied value. An attacker could exploit this vulnerability by convincing a user to click a specific link.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170301-cpi A vulnerability in the HTTP web-based management interface of Cisco Prime Infrastructure could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface of the affected system.

The vulnerability is due to insufficient input validation of a user-supplied value. An attacker could exploit this vulnerability by convincing a user to click a specific link.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170301-cpi
Security Impact Rating: Medium
CVE: CVE-2017-3848
Categories: Security Alerts

Cisco NetFlow Generation Appliance Stream Control Transmission Protocol Denial of Service Vulnerability

Cisco Security Advisories - Wed, 2017-03-01 14:00
A vulnerability in the Stream Control Transmission Protocol (SCTP) decoder of the Cisco NetFlow Generation Appliance (NGA) could allow an unauthenticated, remote attacker to cause the device to hang or unexpectedly reload, causing a denial of service (DoS) condition.

The vulnerability is due to incomplete validation of SCTP packets being monitored on the NGA data ports. An attacker could exploit this vulnerability by sending malformed SCTP packets on a network that is monitored by an NGA data port. SCTP packets addressed to the IP address of the NGA itself will not trigger this vulnerability. An exploit could allow the attacker to cause the appliance to become unresponsive or reload, causing a DoS condition. User interaction could be needed to recover the device using the reboot command from the CLI.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170301-nga A vulnerability in the Stream Control Transmission Protocol (SCTP) decoder of the Cisco NetFlow Generation Appliance (NGA) could allow an unauthenticated, remote attacker to cause the device to hang or unexpectedly reload, causing a denial of service (DoS) condition.

The vulnerability is due to incomplete validation of SCTP packets being monitored on the NGA data ports. An attacker could exploit this vulnerability by sending malformed SCTP packets on a network that is monitored by an NGA data port. SCTP packets addressed to the IP address of the NGA itself will not trigger this vulnerability. An exploit could allow the attacker to cause the appliance to become unresponsive or reload, causing a DoS condition. User interaction could be needed to recover the device using the reboot command from the CLI.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170301-nga
Security Impact Rating: High
CVE: CVE-2017-3826
Categories: Security Alerts

MS16-155 - Important: Security Update for .NET Framework (3205640) - Version: 2.1

Microsoft Comprehensive Security Alerts - Thu, 2017-02-23 10:00
Severity Rating: Important
Revision Note: V2.1 (February 23, 2017): Revised bulletin to announce a detection logic change to Monthly Rollup Release KB3205403 and Monthly Rollup Release KB3205404. This is an informational change only. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves a vulnerability in Microsoft .NET 4.6.2 Framework’s Data Provider for SQL Server. A security vulnerability exists in Microsoft .NET Framework 4.6.2 that could allow an attacker to access information that is defended by the Always Encrypted feature.
Categories: Security Alerts

MS17-005 - Critical: Security Update for Adobe Flash Player (4010250) - Version: 1.0

Microsoft Comprehensive Security Alerts - Tue, 2017-02-21 10:00
Severity Rating: Critical
Revision Note: V1.0 (February 21, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10.
Categories: Security Alerts

MS17-FEB - Microsoft Security Bulletin Summary for February 2017 - Version: 1.0

Microsoft Comprehensive Security Alerts - Tue, 2017-02-21 10:00
Revision Note: V1.0 (February 21, 2017):
Summary: This bulletin summary lists security bulletins released for February 2017
Categories: Security Alerts

Cisco Secure Access Control System Cross-Site Scripting Vulnerability

Cisco Security Advisories - Wed, 2017-02-15 14:00
A vulnerability in Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to conduct a DOM-based cross-site scripting (XSS) attack against the user of the web interface of the affected system.

The vulnerability is due to insufficient input validation of a user-supplied value. An attacker may be able to exploit this vulnerability by intercepting the user packets and injecting malicious code.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-acs A vulnerability in Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to conduct a DOM-based cross-site scripting (XSS) attack against the user of the web interface of the affected system.

The vulnerability is due to insufficient input validation of a user-supplied value. An attacker may be able to exploit this vulnerability by intercepting the user packets and injecting malicious code.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-acs
Security Impact Rating: Medium
CVE: CVE-2017-3838
Categories: Security Alerts

Cisco UCS Director Privilege Escalation Vulnerability

Cisco Security Advisories - Wed, 2017-02-15 14:00
A vulnerability in the web-based GUI of Cisco UCS Director could allow an authenticated, local attacker to execute arbitrary workflow items with just an end-user profile.

The vulnerability is due to improper role-based access control (RBAC) after the Developer Menu is enabled in Cisco UCS Director. An attacker could exploit this vulnerability by enabling Developer Mode for his/her user profile with an end-user profile and then adding new catalogs with arbitrary workflow items to his/her profile. An exploit could allow an attacker to perform any actions defined by these workflow items, including actions affecting other tenants.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-ucs A vulnerability in the web-based GUI of Cisco UCS Director could allow an authenticated, local attacker to execute arbitrary workflow items with just an end-user profile.

The vulnerability is due to improper role-based access control (RBAC) after the Developer Menu is enabled in Cisco UCS Director. An attacker could exploit this vulnerability by enabling Developer Mode for his/her user profile with an end-user profile and then adding new catalogs with arbitrary workflow items to his/her profile. An exploit could allow an attacker to perform any actions defined by these workflow items, including actions affecting other tenants.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-ucs
Security Impact Rating: Critical
CVE: CVE-2017-3801
Categories: Security Alerts

Cisco Unified Communications Manager Web Interface Cross-Site Scripting Vulnerability

Cisco Security Advisories - Wed, 2017-02-15 14:00
A vulnerability in the web framework of Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface of the affected software.

The vulnerability is due to insufficient input validation of user-supplied parameters that are passed to the web server of the affected software. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script in the context of the affected web interface.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-ucm A vulnerability in the web framework of Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface of the affected software.

The vulnerability is due to insufficient input validation of user-supplied parameters that are passed to the web server of the affected software. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script in the context of the affected web interface.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-ucm
Security Impact Rating: Medium
CVE: CVE-2017-3833
Categories: Security Alerts

Cisco Prime Collaboration Assurance Cross-Site Scripting Vulnerability

Cisco Security Advisories - Wed, 2017-02-15 14:00
A vulnerability in the web-based management interface of Cisco Prime Collaboration Assurance could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.

The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information.

Additional information about XSS attacks and potential mitigations can be found at:
 
http://www.cisco.com/en/US/products/cmb/cisco-amb-20060922-understanding-xss.html
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-pcp3 A vulnerability in the web-based management interface of Cisco Prime Collaboration Assurance could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.

The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information.

Additional information about XSS attacks and potential mitigations can be found at:
 
http://www.cisco.com/en/US/products/cmb/cisco-amb-20060922-understanding-xss.html
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-pcp3
Security Impact Rating: Medium
CVE: CVE-2017-3845
Categories: Security Alerts

Cisco Prime Collaboration Assurance Directory Listing Unauthorized Access Vulnerability

Cisco Security Advisories - Wed, 2017-02-15 14:00
A vulnerability in exporting functions of the user interface for Cisco Prime Collaboration Assurance could allow an authenticated, remote attacker to view file directory listings and download files.

The vulnerability is due to a lack of proper input validation of HTTP requests. An attacker could exploit this vulnerability sending a crafted HTTP request to the targeted application. An exploit could allow the attacker to view and download system files that should be restricted.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-pcp2 A vulnerability in exporting functions of the user interface for Cisco Prime Collaboration Assurance could allow an authenticated, remote attacker to view file directory listings and download files.

The vulnerability is due to a lack of proper input validation of HTTP requests. An attacker could exploit this vulnerability sending a crafted HTTP request to the targeted application. An exploit could allow the attacker to view and download system files that should be restricted.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-pcp2
Security Impact Rating: Medium
CVE: CVE-2017-3844
Categories: Security Alerts

Cisco Prime Collaboration Assurance Arbitrary File Download Vulnerability

Cisco Security Advisories - Wed, 2017-02-15 14:00
A vulnerability in the file download functions for Cisco Prime Collaboration Assurance could allow an authenticated, remote attacker to download system files that should be restricted.

The vulnerability is due to lack of proper input validation of HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to the targeted application. An exploit could allow the attacker to download system files that should be restricted.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-pcp1 A vulnerability in the file download functions for Cisco Prime Collaboration Assurance could allow an authenticated, remote attacker to download system files that should be restricted.

The vulnerability is due to lack of proper input validation of HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to the targeted application. An exploit could allow the attacker to download system files that should be restricted.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-pcp1
Security Impact Rating: Medium
CVE: CVE-2017-3843
Categories: Security Alerts

Cisco Identity Services Engine SQL Injection Vulnerability

Cisco Security Advisories - Wed, 2017-02-15 14:00
A vulnerability in the sponsor portal of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access notices owned by other users.

The vulnerability is due to insufficient validation of user-supplied input by the affected software. An attacker could exploit this vulnerability by using SQL injection techniques in crafted HTTP POST requests to an affected system. A successful exploit could allow the attacker to view or delete notices owned by other users of the system. The notices may contain guest credentials in clear text.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-ise A vulnerability in the sponsor portal of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access notices owned by other users.

The vulnerability is due to insufficient validation of user-supplied input by the affected software. An attacker could exploit this vulnerability by using SQL injection techniques in crafted HTTP POST requests to an affected system. A successful exploit could allow the attacker to view or delete notices owned by other users of the system. The notices may contain guest credentials in clear text.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-ise
Security Impact Rating: Medium
CVE: CVE-2017-3835
Categories: Security Alerts

Cisco Intrusion Prevention System Device Manager Information Disclosure Vulnerability

Cisco Security Advisories - Wed, 2017-02-15 14:00
A vulnerability in the web-based management interface of the Cisco Intrusion Prevention System Device Manager (IDM) could allow an unauthenticated, remote attacker to view sensitive information stored in certain HTML comments.
 
The vulnerability is due to improper masking of sensitive data in certain HTML comments. An attacker could exploit this vulnerability by navigating to certain configuration screens. An exploit could allow the attacker to discover sensitive data that should be restricted and could be used to conduct further attacks.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-idm A vulnerability in the web-based management interface of the Cisco Intrusion Prevention System Device Manager (IDM) could allow an unauthenticated, remote attacker to view sensitive information stored in certain HTML comments.
 
The vulnerability is due to improper masking of sensitive data in certain HTML comments. An attacker could exploit this vulnerability by navigating to certain configuration screens. An exploit could allow the attacker to discover sensitive data that should be restricted and could be used to conduct further attacks.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-idm
Security Impact Rating: Medium
CVE: CVE-2017-3842
Categories: Security Alerts

Cisco Firepower Management Center Web Framework Cross-Site Scripting Vulnerability

Cisco Security Advisories - Wed, 2017-02-15 14:00
A vulnerability in the web framework of Cisco Firepower Management Center could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface.

The vulnerability occurs because the affected software fails to perform sufficient validation and sanitization of user-supplied input when processing crafted URLs. An authenticated, remote attacker could exploit the vulnerability by convincing a user to follow a malicious link. Successful exploitation could allow the attacker to execute arbitrary script code in the context of the affected site and allow the attacker to access sensitive browser-based information.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-fpmc A vulnerability in the web framework of Cisco Firepower Management Center could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface.

The vulnerability occurs because the affected software fails to perform sufficient validation and sanitization of user-supplied input when processing crafted URLs. An authenticated, remote attacker could exploit the vulnerability by convincing a user to follow a malicious link. Successful exploitation could allow the attacker to execute arbitrary script code in the context of the affected site and allow the attacker to access sensitive browser-based information.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-fpmc
Security Impact Rating: Medium
CVE: CVE-2017-3847
Categories: Security Alerts

Cisco Unified Communications Manager Information Disclosure Vulnerability

Cisco Security Advisories - Wed, 2017-02-15 14:00
A vulnerability in the web framework Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to view sensitive data.

The vulnerability is due to insufficient protection of sensitive files. An attacker could exploit this vulnerability by browsing to a specific URL. An exploit could allow the attacker to view configuration information.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-cucm3 A vulnerability in the web framework Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to view sensitive data.

The vulnerability is due to insufficient protection of sensitive files. An attacker could exploit this vulnerability by browsing to a specific URL. An exploit could allow the attacker to view configuration information.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-cucm3
Security Impact Rating: Medium
CVE: CVE-2017-3836
Categories: Security Alerts

Cisco Unified Communications Manager Cross-Site Scripting Vulnerability

Cisco Security Advisories - Wed, 2017-02-15 14:00
A vulnerability in the web-based management interface of Cisco Unified Communications Manager Switches could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.

The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information.

Additional information about XSS attacks and potential mitigations can be found at:

https://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20060922-understanding-xss
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-cucm2 A vulnerability in the web-based management interface of Cisco Unified Communications Manager Switches could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.

The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information.

Additional information about XSS attacks and potential mitigations can be found at:

https://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20060922-understanding-xss
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-cucm2
Security Impact Rating: Medium
CVE: CVE-2017-3829
Categories: Security Alerts

Cisco Unified Communications Manager Cross-Site Scripting Vulnerability

Cisco Security Advisories - Wed, 2017-02-15 14:00
A vulnerability in the web-based management interface of Cisco Unified Communications Manager Switches could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.

The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information.

Additional information about XSS attacks and potential mitigations can be found at:

https://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20060922-understanding-xss
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-cucm1 A vulnerability in the web-based management interface of Cisco Unified Communications Manager Switches could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.

The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information.

Additional information about XSS attacks and potential mitigations can be found at:

https://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20060922-understanding-xss
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-cucm1
Security Impact Rating: Medium
CVE: CVE-2017-3828
Categories: Security Alerts

Cisco Unified Communications Manager Cross-Site Scripting Vulnerability

Cisco Security Advisories - Wed, 2017-02-15 14:00
A vulnerability in the serviceability page of Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to conduct reflected cross-site scripting (XSS) attacks.

The vulnerability is due to improper sanitization or encoding of user-supplied data by the serviceability page of an affected version of Cisco Unified Communications Manager. An attacker could exploit this vulnerability by persuading a targeted user to follow a malicious link. An exploit could allow the attacker to conduct a reflected XSS attack.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-cucm A vulnerability in the serviceability page of Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to conduct reflected cross-site scripting (XSS) attacks.

The vulnerability is due to improper sanitization or encoding of user-supplied data by the serviceability page of an affected version of Cisco Unified Communications Manager. An attacker could exploit this vulnerability by persuading a targeted user to follow a malicious link. An exploit could allow the attacker to conduct a reflected XSS attack.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-cucm
Security Impact Rating: Medium
CVE: CVE-2017-3821
Categories: Security Alerts

Pages

Subscribe to Willing Minds aggregator