Guest

Preview Tool

Cisco Bug: CSCvk15284 - Cisco IOS XE Software Stored Cross-Site Scripting Vulnerability

Last Modified

Feb 24, 2020

Products (184)

  • Cisco IOS
  • Cisco Catalyst 3850-32XS-E Switch
  • Cisco Catalyst 9300-48U-A Switch
  • Cisco Catalyst 3650-48FQM-L Switch
  • Cisco Catalyst 3850-24U-L Switch
  • Cisco Catalyst 3850-24P-L Switch
  • Cisco Catalyst 9410R Switch
  • Cisco Catalyst 3650-12X48UR-L Switch
  • Cisco Catalyst 9400 Supervisor Engine-1XL-Y
  • Cisco Catalyst 3650-12X48UQ-L Switch
View all products in Bug Search Tool Login Required

Known Affected Releases

Fuji-16.9.1 Gibraltar-16.10.1

Description (partial)

Symptom:
A vulnerability in the web framework code of Cisco IOS XE Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web interface of the affected software.

The vulnerability is due to insufficient input validation of some parameters that are passed to the web server of the affected software. An attacker could exploit this vulnerability by convincing a user of the web interface to access a malicious link or by intercepting a user request for the affected web interface and injecting malicious code into the request. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected web interface or allow the attacker to access sensitive browser-based information.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-xss

Conditions:
Requires an admin to configure specific parameters that are subject to XSS.

To determine whether a release is affected by any published Cisco Security Advisory, use the Cisco IOS Software Checker on Cisco.com at the following link: https://tools.cisco.com/security/center/softwarechecker.x

Affects all 16.x trains prior to first fixed releases: 16.6.5, 16.9.2, 16.10.1
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.