A vulnerability in the web-based management interface of Cisco HyperFlex software could allow an unauthenticated, remote malicious user to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected system. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by persuading a user of the interface to click a maliciously crafted link. A successful exploit could allow the malicious user to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. Versions before 3.5(1a) are affected.
Patches available now spread across more than a dozen advisories
Cisco emitted on Wednesday a bunch of security updates that, your support contract willing, you should test and roll out to installations as soon as possible.
There are 17 advisories in all, including revised versions of previously issues bulletins, with six marked as high in terms of severity and the rest medium. The worst of the lot grants root access to a local attacker, closely followed by another that allows any remote miscreant in without authorization.
Here's a summary of the ...