Cisco Router and Security Device Manager versions 2.5 and prior contain a vulnerability that could allow attackers to conduct cross-site scripting attacks. The vulnerability exists due to improper validation of parameters processed by the application. An unauthenticated, remote attacker could exploit the vulnerability by convincing a user to follow a malicious URL. If successful, the attacker could execute arbitrary script or HTML code in the user's browser session. Cisco has confirmed the vulnerability in a bug entry; however, updates are not available. To exploit this vulnerability, an attacker must convince a user to follow a provided URL. The attacker may send URLs to the user within e-mail messages or posted on a website. The attacker may use social engineering techniques in an attempt to convince the user to trust the provided link. Only users with access to the application can participate in an exploit. Due to the nature of the application, it is likely that very few users who perform administrative tasks will have the required access, limiting the potential for exploitation. Although fixes for Cisco Router and Security Device Manager are not available, users can deploy the Cisco Configuration Professional in its place. The software is available at the following link: Cisco Configuration Professional
Cisco Router and Security Device Manager versions 2.5 and prior contain a vulnerability that could allow attackers to conduct cross-site scripting attacks.
The vulnerability exists due to improper validation of parameters processed by the application. An unauthenticated, remote attacker could exploit the vulnerability by convincing a user to follow a malicious URL. If successful, the attacker could execute arbitrary script or HTML code in the user's browser session.
Cisco has confirmed the vulnerability in a bug entry; however, updates are not available.
To exploit this vulnerability, an attacker must convince a user to follow a provided URL. The attacker may send URLs to the user within e-mail messages or posted on a website. The attacker may use social engineering techniques in an attempt to convince the user to trust the provided link.
Only users with access to the application can participate in an exploit. Due to the nature of the application, it is likely that very few users who perform administrative tasks will have the required access, limiting the potential for exploitation.
Although fixes for Cisco Router and Security Device Manager are not available, users can deploy the Cisco Configuration Professional in its place. The software is available at the following link: Cisco Configuration Professional
Cisco released a bug entry at the following link: CSCtb38467
JPCERT released a vulnerability note at the following link: 14313132
Administrators are advised to apply updates as they become available.
Administrators are advised to allow only trusted users to have application access.
Users should verify that unsolicited links are safe to follow.
Users are advised to log out of the application when not in use.
Administrators are advised to monitor critical systems.
Patches and software updates are unavailable.
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
| Version | Description | Section | Status | Date |
| 1.0 | Initial Release | NA | Final | 2010-Apr-29 |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.
Vulmon