Cisco Application and Content Networking System URL Page Return Cross-Site Scripting Vulnerability

A vulnerability in Cisco Application and Content Networking System (ACNS) could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks.

The vulnerability is due to insufficient validation of the URL of pages that are not accessible to the end user that could be returned by an affected device. An unauthenticated, remote attacker could exploit this vulnerability by convincing a user to follow a malicious link designed to deliver crafted JavaScript code. Processing the malicious link could allow the crafted JavaScript code to be executed in the user’s browser when the error page is returned.

Cisco has confirmed the vulnerability; however, software updates are not available.

To exploit the vulnerability, the attacker may provide a link that directs a user to a malicious site and use misleading language or instructions to persuade the user to follow the link.

June 17, 2015 is the last day that Cisco may release software maintenance releases and bug fixes for the Cisco ACNS. Customers could review the End-of-Sale and End-of-Life announcement at the following link: End-of-Life Milestones and Dates for the Cisco Application and Content Networking System (ACNS) Software Version 5.5[“http://www.cisco.com/c/en/us/products/collateral/application-networking-services/application-content-networking-system-acns-software/eos-eol-notice-c51-730564.html”]. Customers are encouraged to migrate to the Cisco Enterprise Content Delivery System (ECDS). Information about this product is at the following link: ECDS[“http://www.cisco.com/c/en/us/products/video/enterprise-content-delivery-system-ecds/index.html”]

Cisco would like to thank Nirmal Kirubakaran for reporting this vulnerability.