Cisco Connected Grid Network Management System Cross-Site Scripting Vulnerabilities

Cisco Connected Grid Network Management System (CG-NMS) contains multiple
vulnerabilities that could allow an unauthenticated, remote attacker to
conduct cross-site scripting attacks.

Cisco Connected Grid Network Management System is susceptible to cross-site scripting (XSS) vulnerabilities in the element list component. XSS attacks use obfuscation by encoding tags or malicious portions of the script using the Unicode method so that the link or HTML content is disguised to the end user browsing to the site. The origins of XSS attacks are difficult to identify using traceback methods because the vulnerable server is used to inject the malicious code to the users’ browsers, thus concealing the identity of the malicious user.

Cisco has confirmed these vulnerabilities in a security notice and software updates are available.

To exploit this vulnerability, the attacker may provide a link that directs a user to a malicious site and use misleading language or instructions to persuade the user to follow the provided link.

Customers are advised to review the bug reports in the vendor announcements section for a current list of affected versions.

Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.