Contact | Site en Français               

 


 

Vulnerabilities & Threats
 
  VUPEN Security Advisories
  Linux Security Advisories

  Malware Advisories
  Security Research
  Threat Watch Blog
  Zero-Day Monitor
  Search Engine
  Mailing List & RSS
 
   

>> Cisco Products Search Module Keyword Handling Cross Site Scripting Vulnerability

Title : Cisco Products Search Module Keyword Handling Cross Site Scripting Vulnerability
VUPEN ID : VUPEN/ADV-2007-0973
CVE ID : CVE-2007-1467
Rated as : Moderate Risk 
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-03-16

Technical Description    Receive VUPEN Security alerts in a Text format  Receive VUPEN Security alerts in a PDF format  Receive VUPEN Security alerts in an XML format 

A vulnerability has been identified in various Cisco products, which could be exploited by attackers to execute arbitrary scripting code. This issue is due to an input validation error in the "PreSearch.html" (or "PreSearch.class" depending of the product) script when processing a malformed search keyword, which could be exploited by attackers to cause arbitrary scripting code to be executed by the user's browser in the security context of an affected Web site.

Affected Products

Cisco Secure Access Control Server (ACS) for Windows versions 4.x
Cisco Secure ACS Solution Engine versions 4.x
Cisco VPN Client
Cisco Unified Personal Communicator
Cisco MeetingPlace
Cisco Unified MeetingPlace
Cisco Unified MeetingPlace Express
Cisco CallManager
Cisco IP Communicator
Cisco Unified Video Advantage (Cisco VT Advantage)
Cisco Unified Videoconferencing 3545 System
Cisco Unified Videoconferencing 3540 Series Videoconferencing System
Cisco Unified Videoconferencing 3515 MCU
Cisco Unified Videoconferencing 3527 PRI Gateway
Cisco Unified Videoconferencing 3526 PRI Videoconferencing Gateway
Cisco Unified Videoconferencing Manager
Cisco WAN Manager (CWM)
Cisco Security Device Manager
Cisco Network Analysis Module (NAM) for Catalyst 6500 series switches
Cisco Network Analysis Module (NAM) for Cisco 7600 series routers
Cisco Network Analysis Module (NAM) for modular IOS routers
CiscoWorks
Cisco Management Center for IPS Sensors
Cisco Security Monitor
Cisco CiscoWorks LAN Management Solution
Cisco Router Management Essentials
Cisco Common Services
Cisco Device Fault Manager
Cisco CiscoView
Cisco Internetwork Performance Monitor (IPM)
Cisco Campus Manager
Cisco Cisco Wireless LAN Solution Engine (WLSE)
Cisco 2006 Wireless LAN Controllers (WLC)
Cisco Wireless Control System (WCS)
Cisco VPN 3000 Series Concentrators

Solution

Apply patches :
http://www.cisco.com/warp/public/707/cisco-sr-20070315-xss.shtml

References

http://www.vupen.com/english/advisories/2007/0973
http://www.cisco.com/warp/public/707/cisco-sr-20070315-xss.shtml

Credits

Vulnerability reported by Erwin Paternotte (Fox-IT) and Cassio Goldschmidt.

ChangeLog

2007-03-16 : Initial release

Vulnerability Management

Subscribe to VUPEN VNS and receive real-time alerts when new advisories or patches relevant to your systems and network configurations are available.

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form.
 

Vulnerability Alerting

Free 14-Day Trial
 
  Latest News

 

  >> 2009-07-06

     

  Microsoft Windows 0-Day
  Flaw Exploited in the Wild


  >> 2009-06-10

     

  VUPEN Security Research
  Discovered Critical Flaws
  in Adobe Acrobat and MS
  Office Word


  >> 2009-06-02

     

  VUPEN Security Research
  Discovered Critical Flaws
  in ACDSee Products


  >> 2009-05-22

     

  VUPEN Discovered Two
  Critical Vulnerabilities in
  Novell GroupWise 8 / 7

 

 

More Informations    
    








Copyright 2003-2009 © VUPEN.COM - Privacy Policy