Cisco Wireless LAN Controller Software Cross-Site Scripting Vulnerability
2018-10-17T16:00:00
ID CISCO-SA-20181017-WLAN-XSS Type cisco Reporter Cisco Modified 2018-10-16T18:36:02
Description
A vulnerability in the web-based interface of Cisco Wireless LAN Controller (WLC) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web-based interface of an affected system.
The vulnerability is due to insufficient validation of user-supplied input by the web-based interface. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information.
There are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-wlan-xss ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-wlan-xss"]
{"id": "CISCO-SA-20181017-WLAN-XSS", "type": "cisco", "bulletinFamily": "software", "title": "Cisco Wireless LAN Controller Software Cross-Site Scripting Vulnerability", "description": "A vulnerability in the web-based interface of Cisco Wireless LAN Controller (WLC) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web-based interface of an affected system.\n\nThe vulnerability is due to insufficient validation of user-supplied input by the web-based interface. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information.\n\nThere are no workarounds that address this vulnerability.\n\nThis advisory is available at the following link:\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-wlan-xss [\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-wlan-xss\"]", "published": "2018-10-17T16:00:00", "modified": "2018-10-16T18:36:02", "cvss": {"score": 4.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"}, "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-wlan-xss", "reporter": "Cisco", "references": ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-wlan-xss"], "cvelist": ["CVE-2018-0388"], "lastseen": "2020-12-24T11:40:53", "viewCount": 502, "enchantments": {"score": {"value": 5.4, "vector": "NONE", "modified": "2020-12-24T11:40:53", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-0388"]}, {"type": "cisco", "idList": ["CISCO-SA-20181017-WLAN-XSS"]}], "modified": "2020-12-24T11:40:53", "rev": 2}, "vulnersScore": 5.4}, "affectedSoftware": [{"version": "any", "operator": "eq", "name": "cisco wireless lan controller (wlc)"}, {"version": "any", "operator": "eq", "name": "cisco wireless lan controller (wlc)"}]}
{"cve": [{"lastseen": "2020-10-03T13:20:07", "description": "A vulnerability in the web-based interface of Cisco Wireless LAN Controller (WLC) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web-based interface of an affected system. The vulnerability is due to insufficient validation of user-supplied input by the web-based interface. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information.", "edition": 4, "cvss3": {"exploitabilityScore": 1.7, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 4.8, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2018-10-17T19:29:00", "title": "CVE-2018-0388", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-0388"], "modified": "2019-10-09T23:31:00", "cpe": ["cpe:/o:cisco:wireless_lan_controller:8.5\\(120.0\\)", "cpe:/o:cisco:wireless_lan_controller:8.3\\(135.0\\)", "cpe:/o:cisco:wireless_lan_controller:8.3\\(133.0\\)"], "id": "CVE-2018-0388", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0388", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:o:cisco:wireless_lan_controller:8.3\\(133.0\\):*:*:*:*:*:*:*", "cpe:2.3:o:cisco:wireless_lan_controller:8.3\\(135.0\\):*:*:*:*:*:*:*", "cpe:2.3:o:cisco:wireless_lan_controller:8.5\\(120.0\\):*:*:*:*:*:*:*"]}]}
