Medium
Cisco IP Phone 6800, 7800, and 8800 Series are vulnerable to cross-site request forgery, caused by improper authorization by the web-based interface. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to perform configuration changes on the affected device. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
Cisco Web Security Appliance is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the web-based management interface. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
Cisco Secure Network Analytics Network Diagrams Application is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the web-based management interface. A remote authenticated attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
Multiple Cisco Security Products are vulnerable to a denial of service, caused by an open port listener on TCP port 199. By connecting to TCP port 199, a remote attacker could exploit this vulnerability to crash the Simple Network Management Protocol (SNMP) service.
Cisco Identity Services Engine could allow a remote authenticated attacker to obtain sensitive information, caused by improper enforcement of administrative privilege levels for high-value sensitive data. By navigating to a page that contains sensitive data, an attacker could exploit this vulnerability to obtain sensitive information.
Cisco
Refer to Cisco Security Advisory for the patch, upgrade, or suggested workaround information.