Cisco IOS XE Stored Cross-Site Scripting Vulnerability in the IOx Application Hosting Environment

A stored cross-site scripting vulnerability has been identified in the web-based management interface of Cisco IOS XE Software, specifically within the Cisco IOx application hosting environment. This vulnerability allows an authenticated, remote attacker to inject malicious scripts that are executed in the context of the user's browser session. The issue arises from inadequate validation of user input, enabling attackers to exploit the vulnerability by embedding harmful code into certain interface pages. Successful exploitation could lead to the execution of arbitrary scripts or the exposure of sensitive browser-based information. To exploit this vulnerability, an attacker must possess valid administrative credentials.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the affected user interface.

Remediation

Cisco has released software updates to address this vulnerability. For guidance on upgrading to a fixed software release, consult the Cisco IOS and IOS XE Software Security Advisory Bundled Publication or use the Cisco Software Checker tool to identify the earliest release that fixes this vulnerability.