Cisco UCS Central Software Cross Site Scripting and Session Fixation Vulnerabilities



Cisco UCS Central Software is prone to a cross-site scripting vulnerability and a session-fixation vulnerability.

An attacker may leverage these issues to hijack an arbitrary session and gain unauthorized access to the affected application or to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

These issues are being tracked by Cisco Bug ID CSCvf71978 and CSCvf71986.

Information

Bugtraq ID: 102018
Class: Input Validation Error
CVE: CVE-2017-12348
CVE-2017-12349

Remote: Yes
Local: No
Published: Nov 29 2017 12:00AM
Updated: Dec 01 2017 03:10PM
Credit: Indrajith.A.N
Vulnerable: Cisco UCS Central Software 2.2(1a)A


Not Vulnerable:

Exploit


Attackers can exploit these issues by enticing an unsuspecting victim to follow a malicious URI.


Related Posts

Comments