Cisco-SA-20141212-CVE-2014-3364

Cisco Prime Security Manager Cross-Site Scripting Vulnerability

Cisco-SA-20141212-CVE-2014-3364 · Medium · Published 11 years ago · Updated 11 years ago

A vulnerability in the web framework of Cisco Prime Security Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface on the affected system. The vulnerability is due to insufficient input validation of several parameters in the Access Polices and Device Summary Dashboard related HTML pages. An attacker could exploit this vulnerability by persuading a user to access a malicious link. Cisco has confirmed the vulnerability in a security notice. Cisco thanks Dikla Barda of the Check Point Security Research Team for reporting the vulnerability. To exploit the vulnerability, the attacker may provide a link that directs a user to a malicious site and use misleading language or instructions to persuade the user to follow the provided link.

Cisco advisory ·CSAF JSON

Workarounds

Administrators are advised to apply updates as they become available.

Users should verify that unsolicited links are safe to follow.

Administrators are advised to monitor affected systems.

CVEs	CVE-2014-3364
Cisco Bug IDs	CSCuq80661
CVSS Score	Base 4.3 Base 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:U/RC:C

Public Affected Products

Product	CVE	Evidence
Cisco Prime Security Manager (PRSM)	CVE-2014-3364	Cisco CSAF · structured affected

Vulnslist

Cisco product, release, and evidence lookup

Cisco Prime Security Manager Cross-Site Scripting Vulnerability

Workarounds

Public Affected Products