Reflected cross-site scripting in Cisco Systems, Inc products - CVE-2017-12307
Published: January 17, 2018 / Updated: January 18, 2018
Vulnerability identifier: #VU10102
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-12307
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Cisco Small Business 500 Series Stackable Managed Switches
Cisco Small Business 300 Series Managed Switches
Cisco 350 Series Managed Switches
Cisco Small Business 500 Series Stackable Managed Switches
Cisco Small Business 300 Series Managed Switches
Cisco 350 Series Managed Switches
Detailed vulnerability description
The disclosed vulnerability allows a remote attacker to perform reflected cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
How to mitigate CVE-2017-12307
Install update from vendor's website.