#VU8 Cross-site scripting


Published: 2016-06-17 | Updated: 2019-03-01

Vulnerability identifier: #VU8

Vulnerability risk: Low

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-1396

CWE-ID: CWE-79

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
RV110W Wireless-N VPN Firewall
Hardware solutions / Routers for home users
RV130W Wireless-N Multifunction VPN Router
Hardware solutions / Routers for home users
RV215W Wireless-N VPN Router
Hardware solutions / Routers for home users

Vendor: Cisco Systems, Inc

Description

A vulnerability in the web-based management interface of Cisco RV110W Wireless-N VPN Firewalls, Cisco RV130W Wireless-N Multifunction VPN Routers, and Cisco RV215W Wireless-N VPN Routers could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface for a targeted device.

A successful exploit can allow the attacker to execute arbitrary script in the context of the web-based management interface for the device or allow the attacker to access sensitive browser-based information.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

RV110W Wireless-N VPN Firewall: 1.0.0.2 - 1.2.1.6

RV130W Wireless-N Multifunction VPN Router: 1.0.0.21 - 1.0.3.15

RV215W Wireless-N VPN Router: 1.1.0.5 - 1.3.0.7

External links
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160615-rv1
http://bst.cloudapps.cisco.com/bugsearch/bug/CSCux82567
http://bst.cloudapps.cisco.com/bugsearch/bug/CSCux82583
http://bst.cloudapps.cisco.com/bugsearch/bug/CSCux82599

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Cisco RV110W, RV130W, and RV215W routers