TL;DR 📌
A stored cross-site scripting (XSS) vulnerability has been identified in the Cisco Integrated Management Controller’s Virtual Keyboard Video Monitor (vKVM). This medium-severity issue allows authenticated attackers to execute arbitrary scripts in the context of the affected interface. Cisco has released software updates to address this vulnerability, but no workarounds are available.
What happened 🕵️♂️
A vulnerability in the vKVM connection handling of Cisco’s Integrated Management Controller (IMC) could allow an authenticated, remote attacker with low privileges to conduct a stored XSS attack. This vulnerability arises from insufficient validation of user-supplied input in the web-based management interface. An attacker could exploit this by injecting malicious code into specific data fields, potentially executing arbitrary script code or accessing sensitive browser-based information.