Cisco UCS Central Software Cross Site Scripting and Session Fixation Vulnerabilities

Cisco UCS Central Software is prone to a cross-site scripting vulnerability and a session-fixation vulnerability.

An attacker may leverage these issues to hijack an arbitrary session and gain unauthorized access to the affected application or to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

These issues are being tracked by Cisco Bug ID CSCvf71978 and CSCvf71986.

Information

Bugtraq ID: 102018
Class: Input Validation Error
CVE: CVE-2017-12348
CVE-2017-12349

Remote: Yes
Local: No
Published: Nov 29 2017 12:00AM
Updated: Dec 01 2017 03:10PM
Credit: Indrajith.A.N
Vulnerable: Cisco UCS Central Software 2.2(1a)A

Not Vulnerable:

Exploit

Attackers can exploit these issues by enticing an unsuspecting victim to follow a malicious URI.

References:

Cisco Homepage (Cisco )
Multiple Vulnerabilities in Cisco UCS Central Software (Cisco)

Source: www.securityfocus.com

Exploit Collector

Search Exploit