The vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface of the affected service. An attacker could exploit these vulnerabilities by persuading a user to click a malicious link or by sending an HTTP request that could cause the affected service to redirect the request to a specified malicious URL. A successful exploit could allow the attacker to execute arbitrary script code in the context of the web interface of the affected system or allow the attacker to access sensitive browser-based information on the affected system. These types of exploits could also be used in phishing attacks that send users to malicious websites without their knowledge.
There are no workarounds that address these vulnerabilities.
For additional information about cross-site scripting attacks and the methods used to exploit these vulnerabilities, see the following resources:
- Cisco Applied Mitigation Bulletin: Understanding Cross-Site Scripting (XSS) Threat Vectors
- OWASP reference: Cross-Site Scripting (XSS)
- CWE definition: CWE-79: Improper Neutralization of Input During Web Page Generation
- CWE definition: CWE-601: URL Redirection to Untrusted Site
http://ift.tt/2ij2hGr
Security Impact Rating: Medium
CVE: CVE-2017-12290,CVE-2017-12291,CVE-2017-12292,CVE-2017-12320,CVE-2017-12321,CVE-2017-12322,CVE-2017-12323
from Cisco Security Advisory http://ift.tt/2ij2hGr
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.