CVE-2024-20274

A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software, formerly Firepower Management Center Software, could allow an authenticated, remote attacker to inject arbitrary HTML content into a device-generated document. This vulnerability is due to improper validation of user-supplied data. An attacker could exploit this vulnerability by submitting malicious content to an affected device and using the device to generate a document that contains sensitive information. A successful exploit could allow the attacker to alter the standard layout of the device-generated documents, access arbitrary files from the underlying operating system, and conduct server-side request forgery (SSRF) attacks. To successfully exploit this vulnerability, an attacker would need valid credentials for a user account with policy-editing permissions, such as Network Admin, Intrusion Admin, or any custom user role with the same capabilities.

Severity	MEDIUM
CVSS	5.5
CWE	CWE-20
KEV
Published	1 year ago
Modified	9 months ago

Related Products

Product	Advisory
Cisco RV Series Routers	cisco-sa-fmc-html-inj-nfJeYHxz
Cisco Nexus Dashboard	cisco-sa-fmc-html-inj-nfJeYHxz
Cisco Firepower Threat Defense Software	cisco-sa-fmc-html-inj-nfJeYHxz
Cisco Catalyst PON Series Switches	cisco-sa-fmc-html-inj-nfJeYHxz
Cisco Adaptive Security Appliance (ASA) Software	cisco-sa-fmc-html-inj-nfJeYHxz
Cisco Secure Firewall Management Center (FMC) Appliances	cisco-sa-fmc-html-inj-nfJeYHxz
Cisco Secure Firewall Management Center (FMC)	cisco-sa-fmc-html-inj-nfJeYHxz