HTTP response splitting attack in Cisco Systems, Inc products - CVE-2017-12308
Published: January 18, 2018
Vulnerability identifier: #VU10103
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-12308
CWE-ID: CWE-113
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Cisco ESW2 Series Advanced Switches
Cisco 350 Series Managed Switches
Cisco 350X Series Stackable Managed Switches
Cisco 550X Series Stackable Managed Switches
Cisco Small Business 500 Series Stackable Managed Switches
Cisco Small Business 300 Series Managed Switches
Cisco ESW2 Series Advanced Switches
Cisco 350 Series Managed Switches
Cisco 350X Series Stackable Managed Switches
Cisco 550X Series Stackable Managed Switches
Cisco Small Business 500 Series Stackable Managed Switches
Cisco Small Business 300 Series Managed Switches
Detailed vulnerability description
The disclosed vulnerability allows a remote attacker to perform HTTP response splitting attack.
The vulnerability exists in the web framework of Cisco Small Business Managed Switches software due to insufficient input validation of some parameters that are passed to the web server. A remote attacker can convince a user to follow a malicious link or intercept a user request and inject malicious code into the request, execute arbitrary script code in the context of the affected web interface and access sensitive browser-based information.
How to mitigate CVE-2017-12308
Install update from vendor's website.