Preview Tool

Cisco Bug: CSCsz13881 - Read Only user can modify HTML source to alter privilege

Last Modified

Aug 11, 2015

Products (1)

  • Cisco Wide Area Application Services (WAAS) Appliances

Known Affected Releases


Description (partial)

When a user has write access to certain pages and read-only access to some pages in this scenario that user can get write access (to all these
read-only) by modifying the HTML content of read-only pages by comparing with similar write access pages.


1. User has write access to page1 at Device level but read-only access
    at the DG level on the same page.

2. Now user navigates to the device level page and view source the
    HTML content of the device level write access page 

3. Then user navigates to the read-only page at DG level and modifies 
    that page (HTML content) by comparing with device level page 
    (same page with write access) and modifying the HTML content gets 
    the write access on that page. Now this user can perform any 
    possible write operations on this page.
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.