Cisco Connected Grid Network Management System Cross-Site Scripting Vulnerabilities
Cisco-SA-20130401-CVE-2013-1171 · Medium · Published · Updated
Cisco Connected Grid Network Management System (CG-NMS) contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to conduct cross-site scripting attacks. Cisco Connected Grid Network Management System is susceptible to cross-site scripting (XSS) vulnerabilities in the element list component. XSS attacks use obfuscation by encoding tags or malicious portions of the script using the Unicode method so that the link or HTML content is disguised to the end user browsing to the site. The origins of XSS attacks are difficult to identify using traceback methods because the vulnerable server is used to inject the malicious code to the users' browsers, thus concealing the identity of the malicious user. Cisco has confirmed these vulnerabilities in a security notice and software updates are available. To exploit this vulnerability, the attacker may provide a link that directs a user to a malicious site and use misleading language or instructions to persuade the user to follow the provided link. Customers are advised to review the bug reports in the vendor announcements section for a current list of affected versions. Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.
Administrators are advised to apply the appropriate updates.
Users are advised not to open e-mail messages from suspicious or unrecognized sources. If users cannot verify that links or attachments included in e-mail messages are safe, they are advised not to open them.