Bird_banner_small4
Cisco Prime Infrastructure and EPNM SystemPreferences_Configurable Cross Site Scripting
TSL ID TSL20170622-09
CVE ID(s) CVE-2017-6699
Severity High
Description

A reflected cross-site scripting vulnerability has been reported in Cisco Prime Infrastructure and Evolved Programmable Network Manager. The vulnerability is due to insufficient validation of the taskName and confUrl request parameters in SystemPreferences_Configurable.jsp.

A remote user can exploit this vulnerability by enticing a target user to visit a maliciously crafted URL. Successful exploitation results in the execution of arbitrary script code in the target user's browser.

The vendor, Cisco, has released the following advisory regarding these vulnerabilities:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-piepnm3

Affected Products
  • Cisco Systems Evolved Programmable Network Manager prior to 3.1.5
  • Cisco Systems Prime Infrastructure prior to 3.1.5
CVSS Score Base 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P):
  • Access vector is NETWORK
  • Access complexity is MEDIUM
  • Level of authentication required is NONE
  • Impact of this vulnerability on data confidentiality is PARTIAL
  • Impact of this vulnerability on data integrity is PARTIAL
  • Impact of this vulnerability on data availability is PARTIAL
Temporal 5.3 (E:POC/RL:OF/RC:C):
  • The exploitability level of this vulnerability is PROOF OF CONCEPT
  • The remediation level of this vulnerability is OFFICIAL FIX
  • The report confidence level of this vulnerability is CONFIRMED
References https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-piepnm3
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170622-0_Cisco_Prime_Infrastructure_XXE_SQLi_XSS_v10.txt
Related Threats