Cisco IMC Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the web-based management interface of Cisco Integrated Management Controller (IMC). This vulnerability allows an authenticated, remote attacker with administrative privileges to execute arbitrary script code in the browser of a targeted user or to access sensitive, browser-based information. The issue arises from insufficient validation of user input, and exploitation requires persuading a user to click a crafted link.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user interface.

Remediation

Cisco has released software updates to address this vulnerability. For Cisco 5000 Series ENCS and Catalyst 8300 Series Edge uCPE, upgrade to Cisco NFVIS 4.15.5 or 4.18.3. For UCS C-Series M5 and M6 Rack Servers, upgrade to Cisco IMC 4.3(2.260007) or 6.0(2.260044). For UCS E-Series M3 and M6, upgrade to the fixed releases mentioned in the advisory. For UCS S-Series Storage Servers, the same applies. Instructions for upgrading can be found in the Cisco Host Upgrade Utility User Guide or through the Cisco Support and Downloads page.