QID 317126

Date Published: 2022-01-20

QID 317126: Cisco Security Manager (CSM) Cross-Site Scripting (XSS) Vulnerabilities (cisco-sa-csm-mult-xss-7hmOKQTt)

Multiple vulnerabilities in the web-based management interface of Cisco Security Manager
could allow an unauthenticated, remote attacker to conduct cross-site scripting attacks against a user of the interface.

Affected Products
Cisco Security Manager if they are running following vulnerable release:
Prior to 4.24

QID Detection Logic(Unauthenticated):
It checks for vulnerable major version of Cisco Security Manager using web request "cwhp/CSMSDesktop/about.jsp"

A successful exploit could allow the attacker to execute arbitrary script code
in the context of the interface or access sensitive, browser-based information.

  • CVSS V3 rated as High - 6.1 severity.
  • CVSS V2 rated as Medium - 4.3 severity.
  • Solution

    Customers are advised to refer to cisco-sa-csm-mult-xss-7hmOKQTt for more information.

    Software Advisories
    Advisory ID Software Component Link
    cisco-sa-csm-mult-xss-7hmOKQTt URL Logo tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csm-mult-xss-7hmOKQTt