Multiple Cisco Products CVE-2018-0149 HTML Injection Vulnerability

Bugtraq ID:	104444
Class:	Input Validation Error
CVE:	CVE-2018-0149
Remote:	Yes
Local:	No
Published:	Jun 06 2018 12:00AM
Updated:	Jun 06 2018 12:00AM
Credit:	Ear Ekzhin
Vulnerable:	Cisco UCS Director Software 0 Cisco Integrated Management Controller Supervisor Software 0
Not Vulnerable:

Multiple Cisco Products CVE-2018-0149 HTML Injection Vulnerability

Multiple Cisco Products are prone to an HTML-injection vulnerability because it fails to sanitize user-supplied input.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.

This issue is being tracked by Cisco Bug ID CSCvh12994.

Multiple Cisco Products CVE-2018-0149 HTML Injection Vulnerability

To exploit this issue an attacker must entice an unsuspecting victim to open a malicious URI.

Multiple Cisco Products CVE-2018-0149 HTML Injection Vulnerability

Solution:
Updates are available. Please see the references or vendor advisory for more information.

Multiple Cisco Products CVE-2018-0149 HTML Injection Vulnerability

References:

• Cisco Homepage (Cisco )
  
• cisco-sa-20180606-ucsdimcs: Cisco Integrated Management Controller Supervisor a (Cisco)