Lucene search
This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.CISCO-SA-TMS-PORTAL-XSS-AXNEVG3S.NASLHistoryJan 12, 2024 - 12:00 a.m.
Cisco TelePresence Management Suite < 15.13.6 XSS (cisco-sa-tms-portal-xss-AXNeVg3s)
2024-01-1200:00:00
This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
5
cisco telepresence management suite
xss
remote attacker
web-based management
arbitrary script code
sensitive information
cisco bids
security advisory
scanner
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
6 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.1%
According to its self-reported version, Cisco TelePresence Management Suite is affected by multiple cross-site scripting (XSS) vulnerabilities. Due to insufficient validation of the web-based management, a remote attacker can inject malicious data into a specific field of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
Please see the included Cisco BIDs and Cisco Security Advisory for more information.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(187971);
script_version("1.2");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/04");
script_cve_id("CVE-2023-20248", "CVE-2023-20249");
script_xref(name:"CISCO-BUG-ID", value:"CSCwf12722");
script_xref(name:"CISCO-BUG-ID", value:"CSCwf75895");
script_xref(name:"CISCO-SA", value:"cisco-sa-tms-portal-xss-AXNeVg3s");
script_xref(name:"IAVA", value:"2024-A-0023-S");
script_name(english:"Cisco TelePresence Management Suite < 15.13.6 XSS (cisco-sa-tms-portal-xss-AXNeVg3s)");
script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco TelePresence Management Suite is affected by multiple cross-site
scripting (XSS) vulnerabilities. Due to insufficient validation of the web-based management, a remote attacker can
inject malicious data into a specific field of the interface. A successful exploit could allow the attacker to execute
arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
Please see the included Cisco BIDs and Cisco Security Advisory for more information.");
# https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-tms-portal-xss-AXNeVg3s
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a7e08f44");
script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwf12722");
script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwf75895");
script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug IDs CSCwf12722, CSCwf75895");
script_set_attribute(attribute:"agent", value:"windows");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-20249");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2024/01/10");
script_set_attribute(attribute:"patch_publication_date", value:"2024/01/10");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/01/12");
script_set_attribute(attribute:"plugin_type", value:"combined");
script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:telepresence_management_suite");
script_set_attribute(attribute:"stig_severity", value:"II");
script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CISCO");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("cisco_telepresence_management_suite_detect.nbin", "cisco_telepresence_management_suite_installed.nbin");
script_require_keys("installed_sw/Cisco Telepresence Management Suite");
exit(0);
}
include('vcf.inc');
var app_info = vcf::combined_get_app_info(app:'Cisco Telepresence Management Suite');
var constraints = [{'fixed_version': '15.13.6'}];
vcf::check_version_and_report(
app_info:app_info,
constraints:constraints,
severity:SECURITY_WARNING,
flags:{'xss':TRUE}
);
| Vendor | Product | Version | CPE |
|---|---|---|---|
| cisco | telepresence_management_suite | cpe:/a:cisco:telepresence_management_suite |
Related
cisco
cisco
Cisco TelePresence Management Suite Cross-Site Scripting Vulnerabilities
2024-01-10 16:00:00
vulnrichment
vulnrichment
CVE-2023-20249
2024-04-24 20:47:22
cve
cve
CVE-2023-20248
2024-04-24 21:15:46
CVE-2023-20249
2024-04-24 21:15:46
cvelist
cvelist
CVE-2023-20248
2024-04-24 20:46:55
CVE-2023-20249
2024-04-24 20:47:22
nvd
nvd
CVE-2023-20248
2024-04-24 21:15:46
CVE-2023-20249
2024-04-24 21:15:46
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
6 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.1%
Related for CISCO-SA-TMS-PORTAL-XSS-AXNEVG3S.NASL