Cisco UCS Manager Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the web-based management interface of Cisco UCS Manager Software. This issue allows an authenticated, remote attacker to inject malicious data into specific pages of the interface. The vulnerability arises from inadequate validation of user-supplied input, enabling the execution of arbitrary script code in the context of the affected interface or access to sensitive, browser-based information. To exploit this vulnerability, the attacker must hold an Administrator or AAA Administrator role.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user interface, potentially leading to the execution of malicious scripts or the exposure of sensitive browser information.

Remediation

Users can upgrade to Cisco UCS Manager Software versions 4.2(3p) or 4.3(6a). For UCS 6300 Series, 6400 Series, 6500 Series, and 9108 100G Fabric Interconnects, those on versions 4.1 and earlier should migrate to a fixed release.