Vulnslist

Cisco vulnerabilities by product, model, software, and advisory.

Cisco Application and Content Networking System URL Page Return Cross-Site Scripting Vulnerability

Cisco-SA-20150609-CVE-2015-0774 · Medium · Published · Updated

A vulnerability in Cisco Application and Content Networking System (ACNS) could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks. The vulnerability is due to insufficient validation of the URL of pages that are not accessible to the end user that could be returned by an affected device. An unauthenticated, remote attacker could exploit this vulnerability by convincing a user to follow a malicious link designed to deliver crafted JavaScript code. Processing the malicious link could allow the crafted JavaScript code to be executed in the user's browser when the error page is returned. Cisco has confirmed the vulnerability; however, software updates are not available. To exploit the vulnerability, the attacker may provide a link that directs a user to a malicious site and use misleading language or instructions to persuade the user to follow the link. June 17, 2015 is the last day that Cisco may release software maintenance releases and bug fixes for the Cisco ACNS. Customers could review the End-of-Sale and End-of-Life announcement at the following link: End-of-Life Milestones and Dates for the Cisco Application and Content Networking System (ACNS) Software Version 5.5. Customers are encouraged to migrate to the Cisco Enterprise Content Delivery System (ECDS). Information about this product is at the following link: ECDS Cisco would like to thank Nirmal Kirubakaran for reporting this vulnerability.

Cisco advisory · CSAF JSON

Workarounds

Administrators are advised to contact the vendor regarding future updates and releases.

Users are advised not to open email messages from suspicious or unrecognized sources. If users cannot verify that links or attachments included in email messages are safe, they are advised not to open them.

Users should verify that unsolicited links are safe to follow.

For additional information about XSS attacks and the methods used to exploit these vulnerabilities, see the Cisco Applied Mitigation Bulletin Understanding Cross-Site Scripting (XSS) Threat Vectors["http://www.cisco.com/c/en/us/support/docs/cmb/cisco-amb-20060922-understanding-xss.html"].

Administrators are advised to monitor affected systems.

CVEsCVE-2015-0774
Cisco Bug IDsCSCuu70650
CVSS ScoreBase 4.3
Base 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:U/RC:C
Product Names From Source
Cisco Application and Content Networking System (ACNS) Software, Application and Content Networking System (ACNS) Software

Related Products

Product CVE Evidence
Cisco Enterprise Content Delivery System (ECDS) CVE-2015-0774 Cisco OpenVuln
Cisco Application and Content Networking System (ACNS) Software CVE-2015-0774 Cisco OpenVuln
Application and Content Networking System (ACNS) Software CVE-2015-0774 Cisco OpenVuln