Posts for: #16.11.2

Cisco IOS XE Software Web Authentication Reflected Cross-Site Scripting Vulnerability

🚨 SEVERITY: MEDIUM — CVSS 6.1 Security Advisory

TL;DR 📌

A reflected cross-site scripting (XSS) vulnerability has been identified in the Web Authentication feature of Cisco IOS XE Software. This issue could allow an unauthenticated remote attacker to execute malicious scripts on affected devices. Cisco has released updates to address this vulnerability, but there are no workarounds available.

What happened 🕵️‍♂️

A vulnerability in the Web Authentication feature of Cisco IOS XE Software allows an unauthenticated remote attacker to conduct a reflected cross-site scripting (XSS) attack. This vulnerability arises from improper sanitization of user-supplied input. An attacker could exploit this by persuading a user to click a malicious link, potentially allowing the attacker to steal user cookies from the affected device.

[]

Cisco IOS XE Software CLI Argument Injection Vulnerability

🚨 SEVERITY: MEDIUM — CVSS 6.0 Security Advisory

TL;DR 📌

A medium-severity vulnerability has been identified in Cisco IOS XE Software that allows authenticated local attackers with administrative privileges to execute arbitrary commands on the underlying operating system. No workarounds are available, and users are advised to upgrade to fixed software as soon as possible.

What happened 🕵️‍♂️

A vulnerability in the Command-Line Interface (CLI) of Cisco IOS XE Software could allow an authenticated local attacker with administrative privileges to execute arbitrary commands as root on the affected device’s operating system. This issue arises from insufficient validation of user arguments passed to specific CLI commands. An attacker could exploit this by logging in with valid administrative credentials and using crafted commands.

[]

Cisco IOS XE Software Network-Based Application Recognition Denial of Service Vulnerability

🚨 SEVERITY: HIGH — CVSS 8.6 Security Advisory

TL;DR 📌

A high-severity vulnerability has been identified in the Network-Based Application Recognition (NBAR) feature of Cisco IOS XE Software. This flaw could allow unauthenticated remote attackers to cause affected devices to reload, resulting in a denial of service (DoS) condition. Cisco has released fixed software, but there are no workarounds available.

What happened 🕵️‍♂️

A vulnerability in the NBAR feature of Cisco IOS XE Software allows unauthenticated, remote attackers to exploit improperly handled malformed Control and Provisioning of Wireless Access Points (CAPWAP) packets. By sending these malformed packets, an attacker can cause the affected device to unexpectedly reload, leading to a denial of service (DoS).

[]

Cisco IOS XE Software Web UI Reflected Cross-Site Scripting Vulnerability

🚨 SEVERITY: MEDIUM — CVSS 6.1 Security Advisory

TL;DR 📌

A reflected cross-site scripting (XSS) vulnerability has been identified in the web UI of Cisco IOS XE Software. This flaw could allow unauthenticated remote attackers to execute malicious scripts on affected devices. Cisco has released software updates to address this issue, but no workarounds are available.

What happened 🕵️‍♂️

A vulnerability in the web UI of Cisco IOS XE Software has been discovered, allowing unauthenticated remote attackers to conduct reflected cross-site scripting (XSS) attacks. This vulnerability arises from improper sanitization of user-supplied input, enabling attackers to trick users into clicking malicious links. A successful exploit could allow attackers to steal user cookies from affected devices.

[]