Cisco Integrated Management Controller Virtual Keyboard Video Monitor Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Virtual Keyboard Video Monitor (vKVM) connection handling of Cisco Integrated Management Controller (IMC). This issue allows an authenticated, remote attacker with low privileges to inject malicious code into the interface, which could be executed in the context of the user or used to access sensitive browser information. The vulnerability arises from inadequate validation of user input in the web-based management interface. Exploitation requires valid user credentials with vKVM access on the affected device. Note that this vulnerability also affects the vKVM client included in Cisco UCS Manager.

Impact

Exploitation of this vulnerability could lead to stored cross-site scripting, allowing injected scripts to be executed in the context of the affected user interface.

Remediation

Cisco has released software updates to address this vulnerability. For Cisco IMC on Catalyst 8300 Series Edge uCPE, the update is included in the firmware auto-upgrade process. For Cisco UCS Manager, B-Series and X-Series Servers, specific upgrade instructions are available in the advisory. Cisco appliances based on a preconfigured version of UCS C-Series Servers can also upgrade IMC software to a fixed release.