SB2017062203 - Multiple vulnerabilities in Cisco Prime Infrastructure
Published: June 22, 2017
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 secuirty vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2017-6724)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The weakness exists in the web framework code of Cisco Prime Infrastructure due to incorrect filtration of input data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim’s browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
2) Cross-site scripting (CVE-ID: CVE-2017-6725)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The weakness exists in the web framework code of Cisco Prime Infrastructure due to incorrect filtration of input data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim’s browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
3) Cross-site scripting (CVE-ID: CVE-2017-6700)
The disclosed vulnerability allows a remote attacker to perform Document Object Model (DOM) based cross-site scripting (XSS) attacks.
The weakness exists in the web-based management interface due to incorrect filtration of input data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim’s browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
4) Cross-site scripting (CVE-ID: CVE-2017-6699)
The disclosed vulnerability allows a remote attacker to perform reflected cross-site scripting (XSS) attacks.
The weakness exists in the web-based management interface due to incorrect filtration of input data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim’s browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
5) SQL injection (CVE-ID: CVE-2017-6698)
The vulnerability allows a remote authenticated attacker to execute arbitrary SQL queries in web application database.
The vulnerability exists in the SQL database interface due to a lack of proper validation on user-supplied input within SQL queries. A remote attacker can send a specially crafted URLs containing SQL statements and execute arbitrary SQL queries in web application database.
Successful exploitation of the vulnerability may allow an attacker to gain complete control over affected website.
6) XML injection (CVE-ID: CVE-2017-6662)
The vulnerability allows a remote authenticated attacker to gain read and write access to information and possibly execute arbitrary code.
The vulnerability exists in the web based user interface due to improper handling of XML External Entity (XXE) entries when parsing an XML file. A remote attacker can trick the administrator of an affected system into importing a specially crafted XML file with malicious entries, read and write files and execute remote code within the application.
Successful exploitation of the vulnerability may allow an attacker to gain complete control over affected website.
Remediation
Install update from vendor's website.
References
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-piwf
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-piwf1
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-piepnm4
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-piepnm3
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-piepnm2