CVE-2019-12668Cross-site Scripting in Cisco IOS XE Software 3.6.0e

CWE-79Cross-site Scripting4 documents4 sources
Severity
4.8MEDIUMNVD
EPSS
0.2%
top 60.00%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Cisco IOS XE Software 3.6.0eCisco IOS XECisco IOS
Timeline
PublishedSep 25
Latest updateMay 24

Description

A vulnerability in the web framework code of Cisco IOS and Cisco IOS XE Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web interface of the affected software using the banner parameter. The vulnerability is due to insufficient input validation of the banner parameters that are passed to the web server of the affected software. An attacker could exploit this vulnerability by crafting a banner parameter and saving

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages3 packages

CVEListV5cisco/cisco_ios_xe_software_3.6.0eunspecifiedn/a
NVDcisco/ios_xe16.1.116.3.8+9
NVDcisco/ios12 versions+11

🔴Vulnerability Details

2
GHSA
GHSA-25j2-3m7q-pc9m: A vulnerability in the web framework code of Cisco IOS and Cisco IOS XE Software could allow an authenticated, remote attacker to conduct a stored cro2022-05-24
CVEList
Cisco IOS and IOS XE Software Stored Banner Cross-Site Scripting Vulnerability2019-09-25

📋Vendor Advisories

1
Cisco
Cisco IOS and IOS XE Software Stored Banner Cross-Site Scripting Vulnerability2019-09-25
CVE-2019-12668 — Cross-site Scripting in Cisco | cvebase