Cisco FXOS and UCS Manager Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the web-based management interface of Cisco FXOS Software and Cisco UCS Manager Software. This vulnerability allows an authenticated, remote attacker to inject malicious data into specific pages of the interface, which could then be executed as script code in the context of the affected interface. The vulnerability arises from inadequate validation of user-supplied input. To exploit this issue, an attacker must have valid credentials for a user account with Administrator or AAA Administrator privileges.

Impact

Exploitation of this vulnerability could lead to stored cross-site scripting, allowing injected scripts to be executed in the context of the user interface.

Remediation

Cisco has released software updates to address this vulnerability. For Cisco FXOS Software, the Cisco Software Checker tool can be used to determine exposure to vulnerabilities and identify the first fixed release. For Cisco UCS Manager Software, users should upgrade to version 4.3(6a) or later, depending on their current release.