CiscoCISCO-SA-20151117-FIREPOWER4Cisco Firepower 9000 Series Switch Clickjacking Vulnerability
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.002 Low
EPSS
Percentile
51.6%
A vulnerability in the web interface of the Cisco Firepower 9000 Series Switch could allow an unauthenticated, remote attacker to affect the integrity of the device though a clickjacking or phishing attack.
The vulnerability is due to the lack of proper input sanitization of iFrame data in the HTTP requests sent to the device. An attacker could exploit this vulnerability by sending crafted HTTP packets with malicious iFrame data. An exploit could allow the attacker to perform a clickjacking or phishing attack where the user is tricked into clicking a malicious link. Protection mechanisms should be used to help prevent this type of attack.
Cisco has not released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available.
This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151117-firepower4 [“https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151117-firepower4”]
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| firepower extensible operating system | eq | any | |
| cisco firepower extensible operating system | eq | any |
Related
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.002 Low
EPSS
Percentile
51.6%