A vulnerability in the web-based interface of Cisco Prime Service Catalog could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the web-based interface of an affected product. The vulnerability is due to insufficient validation of user-supplied input by the web-based interface. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information. Cisco Bug IDs: CSCvh65713.
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface. The vulnerability is due to insufficient input validation of some parameters passed to the web-based management interface. An attacker could exploit this vulnerability by convincing a user of the interface to click a specific link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information. Cisco Bug IDs: CSCvf72309.
A vulnerability in the web-based management interface of Cisco Tetration Analytics could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit this vulnerability by persuading a user of the interface to click a customized link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive browser-based information.
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to conduct a Document Object Model (DOM) cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit this vulnerability by persuading a user of the interface to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information. Cisco Bug IDs: CSCvf73922.
A vulnerability in the User Provisioning tab in the Cisco Prime Collaboration Provisioning Tool could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack. The vulnerability is due to improper input validation. An attacker could exploit this vulnerability by placing a malicious string in the Prime Collaboration Provisioning database. A successful exploit could allow the attacker to access Cisco Prime Collaboration Provisioning by injecting crafted data into the database. Cisco Bug IDs: CSCvd86609.
Cross-site scripting (XSS) vulnerability in the web-based management interface in Cisco Meeting Server (formerly Acano Conferencing Server) 1.7 through 1.9 allows remote attackers to inject arbitrary web script or HTML via crafted parameters, aka Bug ID CSCva19922.
Cross-site scripting (XSS) vulnerability in the management interface in Cisco Unified Computing System (UCS) Central Software 1.4(1a) allows remote attackers to inject arbitrary web script or HTML via a crafted value, aka Bug ID CSCuy91250.
Multiple cross-site scripting (XSS) vulnerabilities in Cisco WebEx Meetings Server 2.5.1.5 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCuy01843.
Multiple vulnerabilities in the web UI of Cisco IoT Field Network Director (FND) could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against users on an affected system. The vulnerabilities are due to insufficient validation of user-supplied input that is processed by the web UI. An attacker could exploit these vulnerabilities by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information on an affected system.
Cross-site scripting (XSS) vulnerability in Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM) 1.0.10 allows remote attackers to inject arbitrary web script or HTML via a crafted hostname in an SNMP response, aka Bug ID CSCuw47238.
Open redirect vulnerability in Cisco WebEx Node for Media Convergence Server (MCS) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via crafted HTTP request parameters, aka Bug ID CSCuv32136.
Cross-site scripting (XSS) vulnerability in the Alert Service of Cisco Cloud Web Security base revision allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.
Open redirect vulnerability in the web interface in Cisco Secure Access Control System (ACS) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via an unspecified parameter, aka Bug ID CSCuq74150.
user.php in Cisco WebEx Meetings Server 1.5(.1.131) and earlier does not properly implement the token timer for authenticated encryption, which allows remote attackers to obtain sensitive information via a crafted URL, aka Bug ID CSCuj81708.
Multiple open redirect vulnerabilities in the admin web interface in the web framework in Cisco Unified Communications Domain Manager (CDM) 8.1(.4) and earlier allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via crafted URLs for unspecified scripts, aka Bug ID CSCuo48835.
A vulnerability in the web framework of Cisco Small Business Managed Switches software could allow an unauthenticated, remote attacker to conduct an HTTP response splitting attack against a user of the web interface of an affected system. The vulnerability is due to insufficient input validation of some parameters that are passed to the web server of the affected system. An attacker could exploit this vulnerability by convincing a user to follow a malicious link or by intercepting a user request and injecting malicious code into the request. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected web interface or allow the attacker to access sensitive browser-based information. This vulnerability affects the following Cisco Small Business 300 and 500 Series Managed Switches: Cisco 350 Series Managed Switches, Cisco 350X Series Stackable Managed Switches, Cisco 550X Series Stackable Managed Switches, Cisco ESW2 Series Advanced Switches, Cisco Small Business 300 Series Managed Switches, Cisco Small Business 500 Series Stackable Managed Switches. Cisco Bug IDs: CSCvg29980.
Open redirect vulnerability in Self-Care Client Portal applications in the web framework in VOSS in Cisco Unified Communications Domain Manager (CDM) 9.0(.1) and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a crafted URL, aka Bug ID CSCun79731.
Open redirect vulnerability in Cisco WebEx Training Center allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors, aka Bug ID CSCul57140.
Open redirect vulnerability in the mobile-browser subsystem in Cisco WebEx Sales Center allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors, aka Bug ID CSCul36020.
Open redirect vulnerability in Cisco WebEx Training Center allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors, aka Bug ID CSCul36031.
Open redirect vulnerability in Cisco WebEx Sales Center allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors, aka Bug ID CSCul25557.
The SSL functionality in Cisco NX-OS on the Nexus 1000V does not properly verify X.509 certificates, which allows man-in-the-middle attackers to spoof servers, and intercept or modify Virtual Supervisor Module (VSM) to VMware vCenter communication, via a crafted certificate, aka Bug ID CSCud14837.
A vulnerability in the web-based management interface of Cisco TelePresence Management Suite (TMS) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information.
A vulnerability in the logging component of Cisco Identity Services Engine could allow an unauthenticated, remote attacker to conduct cross-site scripting attacks. The vulnerability is due to the improper validation of requests stored in the system's logging database. An attacker could exploit this vulnerability by sending malicious requests to the targeted system. An exploit could allow the attacker to conduct cross-site scripting attacks when an administrator views the logs in the Admin Portal.
A vulnerability in the web-based management interface of Cisco Webex Events Center, Cisco Webex Meeting Center, Cisco Webex Support Center, and Cisco Webex Training Center could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of the affected service. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected service. An attacker could exploit this vulnerability by persuading a user of the interface to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
Unspecified vulnerability in Cisco Unity 4.x before 4.2(1)ES161, 5.x before 5.0(1)ES53, and 7.x before 7.0(2)ES8, when using anonymous authentication (aka native Unity authentication), allows remote attackers to bypass authentication and read or modify system configuration parameters by going to a specific link more than once.
A vulnerability in the Cisco Advanced Malware Protection (AMP) for Endpoints integration of Cisco AsyncOS for Cisco Email Security Appliance (ESA) and Cisco Web Security Appliance (WSA) could allow an unauthenticated, remote attacker to intercept traffic between an affected device and the AMP servers. This vulnerability is due to improper certificate validation when an affected device establishes TLS connections. A man-in-the-middle attacker could exploit this vulnerability by sending a crafted TLS packet to an affected device. A successful exploit could allow the attacker to spoof a trusted host and then extract sensitive information or alter certain API requests.
Multiple vulnerabilities in the web-based management interface of Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. Cisco Bug IDs: CSCvg70904.
Multiple vulnerabilities in the web-based management interface of Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. Cisco Bug IDs: CSCvg70967.
A vulnerability in the Zero Touch Provisioning feature of the Cisco SD-WAN Solution could allow an unauthenticated, remote attacker to gain unauthorized access to sensitive data by using an invalid certificate. The vulnerability is due to insufficient certificate validation by the affected software. An attacker could exploit this vulnerability by supplying a crafted certificate to an affected device. A successful exploit could allow the attacker to conduct man-in-the-middle attacks to decrypt confidential information on user connections to the affected software.
A vulnerability in the web-based management interface of Cisco Web Security Appliance (WSA) could allow an unauthenticated, remote attacker to conduct a reflected or Document Object Model based (DOM-based) cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information. Cisco Bug IDs: CSCve84006.
A vulnerability in the web framework of Cisco WebEx could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web interface of an affected system. The vulnerability is due to insufficient input validation of certain parameters that are passed to the affected software via the HTTP GET and HTTP POST methods. An attacker who can convince a user to follow an attacker-supplied link could execute arbitrary script or HTML code in the user's browser in the context of an affected site. Cisco Bug IDs: CSCvi71274.
A vulnerability in the web UI of Cisco TelePresence Server Software could allow an unauthenticated, remote attacker to conduct a cross-frame scripting (XFS) attack against a user of the web UI of the affected software. The vulnerability is due to insufficient protections for HTML inline frames (iframes) by the web UI of the affected software. An attacker could exploit this vulnerability by persuading a user of the affected UI to navigate to an attacker-controlled web page that contains a malicious HTML iframe. A successful exploit could allow the attacker to conduct click-jacking or other client-side browser attacks on the affected system. Cisco Bug IDs: CSCun79565.
A vulnerability in the web-based management interface of Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to perform a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the web-based management interface to click a link that is designed to submit malicious input to the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information on the targeted device. Cisco Bug IDs: CSCvg51264.
A vulnerability in the web framework of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web interface of an affected system. The vulnerability is due to insufficient input validation of certain parameters that are passed to the affected software via the HTTP GET and HTTP POST methods. An attacker who can convince a user to follow an attacker-supplied link could execute arbitrary script or HTML code in the user's browser in the context of an affected site. Cisco Bug IDs: CSCvf76417.
A vulnerability in the NX-API feature of Cisco NX-OS Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. This vulnerability is due to insufficient CSRF protections for the NX-API on an affected device. An attacker could exploit this vulnerability by persuading a user of the NX-API to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. The attacker could view and modify the device configuration. Note: The NX-API feature is disabled by default.
A vulnerability in the Web Server Authentication Required screen of the Clientless Secure Sockets Layer (SSL) VPN portal of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of that portal on an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the portal or allow the attacker to access sensitive browser-based information. This vulnerability affects the following Cisco products if they are running a vulnerable release of Cisco ASA Software: 3000 Series Industrial Security Appliances, Adaptive Security Virtual Appliance (ASAv), ASA 5500 Series Adaptive Security Appliances, ASA 5500-X Series Next-Generation Firewalls, ASA Services Module for Cisco Catalyst 6500 Series Switches, ASA Services Module for Cisco 7600 Series Routers. Cisco Bug IDs: CSCvh20742.
A vulnerability in the web-based management interface of Cisco Finesse 10.6(1) and 11.5(1) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information. Cisco Bug IDs: CSCvd96744.
A vulnerability in the web application interface of the Cisco Identity Services Engine (ISE) portal could allow an unauthenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web interface of an affected system. More Information: CSCvd49141. Known Affected Releases: 2.1(102.101).
A vulnerability in the web portal of the Cisco Prime Collaboration Provisioning (PCP) Tool could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface of an affected system. More Information: CSCvc90312. Known Affected Releases: 12.1.
The WebLaunch functionality of Cisco AnyConnect Secure Mobility Client Software contains a vulnerability that could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the affected software. The vulnerability is due to insufficient input validation of some parameters that are passed to the WebLaunch function of the affected software. An attacker could exploit this vulnerability by convincing a user to access a malicious link or by intercepting a user request and injecting malicious code into the request. Cisco Bug IDs: CSCvf12055. Known Affected Releases: 98.89(40).
A vulnerability in the web framework code of Cisco Prime Infrastructure 2.2(2) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web interface of the affected system. The vulnerability is due to insufficient input validation of some parameters passed to the web server. An attacker could exploit this vulnerability by convincing the user to access a malicious link or by intercepting the user request and injecting the malicious code. An exploit could allow the attacker to execute arbitrary script code in the context of the affected site or allow the attacker to access sensitive browser-based information. Cisco Bug IDs: CSCuw65830.
A vulnerability in the web framework code of Cisco Prime Infrastructure could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface of an affected system. More Information: CSCuw65833 CSCuw65837. Known Affected Releases: 2.2(2).
A vulnerability in the web framework code of Cisco Prime Service Catalog could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web interface of the affected system. More Information: CSCvc79842 CSCvc79846 CSCvc79855 CSCvc79873 CSCvc79882 CSCvc79891. Known Affected Releases: 11.1.2.
A cross-site scripting (XSS) filter bypass vulnerability in the web-based management interface of Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to conduct XSS attacks against a user of an affected device. More Information: CSCvc21620. Known Affected Releases: 10.5(2.14076.1). Known Fixed Releases: 12.0(0.98000.641) 12.0(0.98000.500) 12.0(0.98000.219).
A vulnerability in the web framework of Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface of the affected software. More Information: CSCvb95951. Known Affected Releases: 12.0(0.99999.2). Known Fixed Releases: 11.0(1.23064.1) 11.5(1.12031.1) 11.5(1.12900.21) 11.5(1.12900.7) 11.5(1.12900.8) 11.6(1.10000.4) 12.0(0.98000.155) 12.0(0.98000.178) 12.0(0.98000.366) 12.0(0.98000.367) 12.0(0.98000.468) 12.0(0.98000.469) 12.0(0.98000.536) 12.0(0.98000.6) 12.0(0.98500.6).
The KVM subsystem in the client in Cisco Unified Computing System (UCS) does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers, and read or modify KVM data, via a crafted certificate, aka Bug ID CSCte90332.
A vulnerability in an IPsec VPN library of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to read or modify data within an IPsec IKEv2 VPN tunnel. This vulnerability is due to an improper implementation of Galois/Counter Mode (GCM) ciphers. An attacker in a man-in-the-middle position could exploit this vulnerability by intercepting a sufficient number of encrypted messages across an affected IPsec IKEv2 VPN tunnel and then using cryptanalytic techniques to break the encryption. A successful exploit could allow the attacker to decrypt, read, modify, and re-encrypt data that is transmitted across an affected IPsec IKEv2 VPN tunnel.
The fabric-interconnect component in Cisco Unified Computing System (UCS) does not encrypt KVM virtual-media data, which allows man-in-the-middle attackers to obtain sensitive information by sniffing the network or modify this traffic by inserting packets into the client-server data stream, aka Bug ID CSCtr72964.
A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information.