Cisco IronPort Encryption Appliance Administrative Interface DOM-based Cross-site Scripting Vulnerability
Dell SecureWorks Security Advisory SWRX-2012-001
- Title: Cisco IronPort Encryption Appliance administrative interface DOM-based cross-site scripting vulnerability
- Advisory ID: SWRX-2012-001
- Date published: Monday, February 13, 2012
- CVE: CVE-2012-0340
- CVSS v2 base score: 4.3
- Date of last update: Monday, February 13, 2012
- Vendors contacted: Cisco Systems, Inc.
- Release mode: Coordinated
- Discovered by: Craig Lambert, Dell SecureWorks
A vulnerability exists in Cisco IronPort Encryption Appliance due to improper input validation of user-controlled input to the web-based administrative interface. User-controlled input supplied to the login page via the URL parameters/values is not properly sanitized for illegal or malicious content prior to being returned to the user in dynamically generated web content. A remote, unauthenticated attacker could exploit this vulnerability to perform DOM-based cross-site scripting (XSS) attacks, potentially resulting in the compromise of administrator sessions on the Cisco IronPort Encryption Appliance device.
PGP Signature (PC Users: You may need to right click your mouse and select "Save As")