Cisco Unified Intelligence Center Cross-Site Scripting Vulnerability

medium Nessus Plugin ID 129821

Synopsis

The remote host is missing a vendor-supplied security patch.

Description

A vulnerability in the web framework code of Cisco Unified Intelligence Center Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface of an affected system. The vulnerability is due to insufficient input validation of some parameters that are passed to the web server of the affected software. An attacker could exploit this vulnerability by persuading a user to click a malicious link or by intercepting a user request and injecting malicious code into the request. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected site or allow the attacker to access sensitive browser-based information.

Solution

Apply the patch or upgrade to the version recommended in Cisco bug ID CSCve76835

See Also

http://www.nessus.org/u?9f1cf17a

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve76835

Plugin Details

Severity: Medium

ID: 129821

File Name: cisco-sa-20170920-cuic.nasl

Version: 1.3

Type: local

Family: CISCO

Published: 10/11/2019

Updated: 10/17/2019

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.0

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2017-12248

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:cisco:unified_intelligence_center

Required KB Items: installed_sw/Cisco Unified Intelligence Center (CUIC), Settings/ParanoidReport

Exploit Ease: No known exploits are available

Patch Publication Date: 9/20/2017

Vulnerability Publication Date: 9/20/2017

Reference Information

CVE: CVE-2017-12248

BID: 100921

CWE: 79

CISCO-SA: cisco-sa-20170920-cuic

CISCO-BUG-ID: CSCve76835