Guest

Preview Tool

Cisco Bug: CSCvs04040 - SG350X-24 - HTTP security headers not presented

Last Modified

Aug 21, 2020

Products (1)

  • Cisco Small Business 500 Series Stackable Managed Switches

Known Affected Releases

2.5.0.90

Description (partial)

Symptom:
The QID vulnerability test tool reports the absence of the following HTTP headers according to

CWE-693: Protection Mechanism Failure:

fw2.5.0.90 and some older version has been tested, all the same result.

 

X-Frame-Options: This HTTP response header improves the protection of web applications against clickjacking

attacks. Clickjacking, also known as a "UI redress attack", allows an

attacker to use multiple transparent or opaque layers to trick a targeted

user into clicking on a button or link on another page when they were

intending to click on the the top level page.

 

X-XSS-Protection: This HTTP header enables the browser built-in Cross-Site Scripting (XSS) filter to

prevent cross-site scripting attacks. X-XSS-Protection: 0; disables this

functionality.

 

X-Content-Type-Options: This HTTP header prevents attacks based on MIME-type mismatch. The only possible value is nosniff. If your

server returns X-Content-Type-Options: nosniff in the response, the browser

will refuse to load the styles and scripts in case they have an incorrect

MIME-type.

 

Strict-Transport-Security: The HTTP Strict-Transport-Security response header (HSTS) is a security feature that lets a web site tell

browsers that it should only be communicated with using HTTPS, instead of

using HTTP.

Conditions:
The QID vulnerability test tool reports the absence of the following HTTP headers according to

CWE-693: Protection Mechanism Failure:

fw2.5.0.90 and some older version has been tested, all the same result.

 

X-Frame-Options: This HTTP response header improves the protection of web applications against clickjacking

attacks. Clickjacking, also known as a "UI redress attack", allows an

attacker to use multiple transparent or opaque layers to trick a targeted

user into clicking on a button or link on another page when they were

intending to click on the the top level page.

 

X-XSS-Protection: This HTTP header enables the browser built-in Cross-Site Scripting (XSS) filter to

prevent cross-site scripting attacks. X-XSS-Protection: 0; disables this

functionality.

 

X-Content-Type-Options: This HTTP header prevents attacks based on MIME-type mismatch. The only possible value is nosniff. If your

server returns X-Content-Type-Options: nosniff in the response, the browser

will refuse to load the styles and scripts in case they have an incorrect

MIME-type.

 

Strict-Transport-Security: The HTTP Strict-Transport-Security response header (HSTS) is a security feature that lets a web site tell

browsers that it should only be communicated with using HTTPS, instead of

using HTTP.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.