CiscoCISCO-SA-20090114-CVE-2008-3821Cisco IOS HTTP Server Ping Parameter Cross-Site Scripting Vulnerability
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.004 Low
EPSS
Percentile
74.1%
Cisco IOS Software contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary HTML and script code in the user’s browser session.
The vulnerability exists due to an input sanitization error in the embedded HTTP server. An unauthenticated, remote attacker could exploit this vulnerability by convincing a user to follow a malicious link. This action could allow the attacker to execute arbitrary HTML and script code in the user’s browser session.
Cisco has confirmed this vulnerability and released updated software.
The vulnerability exists due to an error in the embedded HTTP server in Cisco IOS Software. Security best practices dictate that administrators disable this server when it is not in use. Administrators are advised to review their networks to determine the purposes of any Cisco IOS devices that are running the embedded HTTP server.
Related
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.004 Low
EPSS
Percentile
74.1%