cisco-sa-ioxxss-wc6CqUws: Cisco IOx Application Framework Local Manager Stored Cross-Site Scripting Vulnerability
First published: Wed Jun 03 2020(Updated: )
A vulnerability in the web-based Local Manager interface of the Cisco IOx Application Framework could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based Local Manager interface of an affected device. The attacker must have valid Local Manager credentials. The vulnerability is due to insufficient validation of user-supplied input by the web-based Local Manager interface of the affected software. An attacker could exploit this vulnerability by injecting malicious code into a system settings tab. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected web interface or allow the attacker to access sensitive browser-based information. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ioxxss-wc6CqUws
Credit: the Singapore University TechnologyDesign iTrust Center for Research in Cyber Security for discovering reporting this vulnerability.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cisco platform | =IR510 WPAN Industrial Routers<IR510 Operating System Release 6.1.27=IOS XE devices:<Cisco IOS XE Software Release 17.2(1)>=IC3000 Industrial Compute Gateway<=IE 4000 Series Switches<Cisco IOS Software Release 15.2.(7a)E0b=CGR1000 Compute Module<IOx image for CGR1000 Release 1.10.0.6=800 Series ISRs<Not fixed; IOx has reached end of life on the Cisco 800 Series ISRs.=800 Series Industrial ISRs<Cisco IOS Software Release 15.9(3)M | IR510 Operating System Release 6.1.27 Cisco IOS XE Software Release 17.2(1) Cisco IOS Software Release 15.2.(7a)E0b IOx image for CGR1000 Release 1.10.0.6 Not fixed; IOx has reached end of life on the Cisco 800 Series ISRs. Cisco IOS Software Release 15.9(3)M |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for Cisco IOx Application Framework Local Manager Stored Cross-Site Scripting Vulnerability?
The vulnerability ID for Cisco IOx Application Framework Local Manager Stored Cross-Site Scripting Vulnerability is cisco-sa-ioxxss-wc6CqUws.
What is the severity of cisco-sa-ioxxss-wc6CqUws?
The severity of cisco-sa-ioxxss-wc6CqUws is medium with a severity value of 6.4.
What is the affected software for cisco-sa-ioxxss-wc6CqUws?
The affected software for cisco-sa-ioxxss-wc6CqUws includes IR510 Operating System Release 6.1.27, Cisco IOS XE Software Release 17.2(1), Cisco IOS Software Release 15.2.(7a)E0b, IOx image for CGR1000 Release 1.10.0.6, Not fixed; IOx has reached end of life on the Cisco 800 Series ISRs, and Cisco IOS Software Release 15.9(3)M.
How does cisco-sa-ioxxss-wc6CqUws affect the Cisco platform?
cisco-sa-ioxxss-wc6CqUws affects the Cisco platform by allowing an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based Local Manager interface of an affected device.
What is the Common Weakness Enumeration (CWE) ID for cisco-sa-ioxxss-wc6CqUws?
The Common Weakness Enumeration (CWE) ID for cisco-sa-ioxxss-wc6CqUws is 79.
- agent/weakness
- agent/type
- agent/references
- agent/title
- agent/severity
- agent/author
- agent/event
- agent/description
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/tags
- collector/cisco-advisory
- source/Cisco
- agent/software-canonical-lookup
- vendor/cisco
- canonical/cisco platform
- version/cisco platform/ir510 wpan industrial routers
- version/cisco platform/ios xe devices:
- version/cisco platform/ic3000 industrial compute gateway
- version/cisco platform/ie 4000 series switches
- version/cisco platform/cgr1000 compute module
- version/cisco platform/800 series isrs
- version/cisco platform/800 series industrial isrs