Cisco IMC Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in the web-based management interface of Cisco Integrated Management Controller (IMC). This vulnerability allows an unauthenticated, remote attacker to execute arbitrary script code in the browser of a targeted user or access sensitive, browser-based information. The issue arises from insufficient validation of user input, enabling attackers to persuade users to click on crafted links that exploit this vulnerability.

Impact

Exploitation of this vulnerability could lead to reflected cross-site scripting, allowing an attacker to execute scripts in the context of the user's browser session.

Remediation

Cisco has released software updates to address this vulnerability. For Cisco 5000 Series ENCS and Catalyst 8300 Series Edge uCPE, IMC can be upgraded as part of the firmware auto-upgrade process. UCS C-Series M5 and M6 Rack Servers can be upgraded to specific fixed releases. For UCS E-Series Servers, similar upgrade paths are available. Instructions for upgrading Cisco IMC on appliances based on a preconfigured version of a Cisco UCS C-Series Server are also provided in the advisory.