Overview
Cisco Prime NCS and WCS Health Monitor Login pages contain a reflected cross-site scripting (XSS) vulnerability (CWE-79).
Description
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cisco Prime Network Control System (NCS) and Wireless Control System (WCS) Health Monitor Login pages contain an input validation error which results in a reflected cross-site scripting vulnerability that can allow an attacker to inject arbitrary HTML content (including script). |
Impact
An attacker can conduct a cross-site scripting attack which may be used to inject arbitrary HTML content (including script) into a web page presented to the user. JavaScript can be used to steal authentication cookies or other sensitive information. |
Solution
We are currently unaware of a practical solution to this problem. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 5.8 | AV:N/AC:M/Au:N/C:P/I:P/A:N |
| Temporal | 5.5 | E:F/RL:U/RC:C |
| Environmental | 1.4 | CDP:N/TD:L/CR:ND/IR:ND/AR:ND |
References
Acknowledgements
Thanks to Tenable Network Security for reporting this vulnerability.
This document was written by Adam Rauf.
Other Information
| CVE IDs: | CVE-2012-5990 |
| Date Public: | 2013-09-03 |
| Date First Published: | 2013-09-03 |
| Date Last Updated: | 2013-09-13 19:22 UTC |
| Document Revision: | 52 |