BUGTRAQ ID: 29191
CVE(CAN) ID: CVE-2008-2165
Cisco Building Broadband Service Manager(BBSM)是基于软件的服务创建平台,可为政府部门提供高度自动化的、非常方便的宽带服务方法。
Cisco BBSM的AccessCodeStart.asp页面没有正确地过滤对msg参数的输入便返回给了用户,这允许远程攻击者通过提交恶意URL请求执行跨站脚本攻击,导致在用户浏览器会话中执行任意HTML和脚本代码。
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
<a href=“http://tools.cisco.com/support/downloads/go/ImageList.x?relVer=5.3&mdfid=278455427&sftType=Building Broadband Service Manager (BBSM) Updates&optPlat=&nodecount=2&edesignator=null&modelName=Cisco Building Broadband Service Manager 5.3&treeMdfId=281527126&treeName=Network Monitoring and Management” target=“_blank”>http://tools.cisco.com/support/downloads/go/ImageList.x?relVer=5.3&mdfid=278455427&sftType=Building Broadband Service Manager (BBSM) Updates&optPlat=&nodecount=2&edesignator=null&modelName=Cisco Building Broadband Service Manager 5.3&treeMdfId=281527126&treeName=Network Monitoring and Management</a>
http://www.example.com/ekgnkm/AccessCodeStart.asp?msg=%3Cscript%3Ealert(%22XSS%22);%3C/script%3E