Cisco Router and Security Device Manager Cross-Site Scripting Vulnerability

Cisco Router and Security Device Manager versions 2.5 and prior contain a vulnerability that could allow attackers to conduct cross-site scripting attacks.

The vulnerability exists due to improper validation of parameters processed by the application. An unauthenticated, remote attacker could exploit the vulnerability by convincing a user to follow a malicious URL. If successful, the attacker could execute arbitrary script or HTML code in the user’s browser session.

Cisco has confirmed the vulnerability in a bug entry; however, updates are not available.

To exploit this vulnerability, an attacker must convince a user to follow a provided URL. The attacker may send URLs to the user within e-mail messages or posted on a website. The attacker may use social engineering techniques in an attempt to convince the user to trust the provided link.

Only users with access to the application can participate in an exploit. Due to the nature of the application, it is likely that very few users who perform administrative tasks will have the required access, limiting the potential for exploitation.

Although fixes for Cisco Router and Security Device Manager are not available, users can deploy the Cisco Configuration Professional in its place. The software is available at the following link: Cisco Configuration Professional[“http://www.cisco.com/en/US/products/ps9422/index.html”]