Cisco Meeting Server Persistent Cross-Site Scripting Vulnerability

A vulnerability in the web bridge that offers video via a web interface of Cisco Meeting Server Software, formerly Acano Conferencing Server, could allow an unauthenticated, remote attacker to conduct a persistent cross-site scripting (XSS) attack against a user of the web interface of an affected system.

The vulnerability is due to improper input validation of certain parameters that are passed to an affected device via an HTTP request. An attacker could exploit this vulnerability by persuading a user to follow a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected management interface or allow the attacker to access sensitive browser-based information.

Additional information about XSS attacks and potential mitigations can be found in the following resources:

OWASP Attack Reference: Cross-site Scripting (XSS)["https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)"]
Cisco Applied Mitigation Bulletin: Understanding Cross-Site Scripting (XSS) Threat Vectors["http://www.cisco.com/en/US/products/cmb/cisco-amb-20060922-understanding-xss.html "]

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160714-ms[“https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160714-ms”]