Cisco Unified Computing System Central Software DOM-Based Cross-Site Scripting Vulnerability

Cisco Unified Computing System Central Software contains a vulnerability that could allow an unauthenticated, remote attacker to conduct cross-site scripting attacks.

The vulnerability exists because the affected software fails to perform sufficient validation and sanitation of user-supplied input when processing crafted URLs. An unauthenticated, remote attacker could exploit the vulnerability by convincing a user to follow a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected site and allow the attacker to access sensitive browser-based information.

Cisco has confirmed the vulnerability in a security notice and has released software updates.

To exploit the vulnerability, the attacker may provide a link that directs a user to a malicious site and use misleading language or instructions in an attempt to persuade a user to follow the malicious link.

For additional information about cross-site scripting attacks and potential methods of mitigation, see the Cisco Applied Mitigation Bulletin Understanding Cross-Site Scripting (XSS) Threat Vectors[“https://sec.cloudapps.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20060922-understanding-xss”].

Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.