CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
EPSS
Percentile
56.1%
Cisco Unified Computing System Central Software contains a vulnerability that could allow an unauthenticated, remote attacker to conduct cross-site scripting attacks.
The vulnerability exists because the affected software fails to perform sufficient validation and sanitation of user-supplied input when processing crafted URLs. An unauthenticated, remote attacker could exploit the vulnerability by convincing a user to follow a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected site and allow the attacker to access sensitive browser-based information.
Cisco has confirmed the vulnerability in a security notice and has released software updates.
To exploit the vulnerability, the attacker may provide a link that directs a user to a malicious site and use misleading language or instructions in an attempt to persuade a user to follow the malicious link.
For additional information about cross-site scripting attacks and potential methods of mitigation, see the Cisco Applied Mitigation Bulletin Understanding Cross-Site Scripting (XSS) Threat Vectors[“https://sec.cloudapps.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20060922-understanding-xss”].
Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.
Vendor | Product | Version | CPE |
---|---|---|---|
cisco | unified_computing_system_central_software | any | cpe:2.3:a:cisco:unified_computing_system_central_software:any:*:*:*:*:*:*:* |