Cisco IOS XE Software Web UI Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in the web UI of Cisco IOS XE Software. This issue allows an unauthenticated, remote attacker to execute a reflected XSS attack on an affected device, potentially stealing user cookies. The vulnerability arises from improper sanitization of user input. Exploitation requires persuading a user to click a malicious link.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser session.

Remediation

Cisco has released software updates to address this vulnerability. To determine the appropriate update, users can consult the Cisco Software Checker tool. Disabling the HTTP Server feature can also eliminate the attack vector, but this should be done with caution as it may impact device management functionality.