CVE-2023-20228 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Cisco Encs 5100 Firmware

CWE-80 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)CWE-79 — Cross-site Scripting4 documents4 sources

Severity

6.1MEDIUMNVD

EPSS

0.1%

top 76.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Encs 5100 Firmware Cisco Encs 5400 Firmware Cisco Ucs-e1120d-m3 Firmware +6 more

Timeline

PublishedAug 16

Description

A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by persuading a user of an affected interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages9 packages

▶NVDcisco/ucs_c220_m5_rack4.2 — 4.3.2.230207

▶NVDcisco/encs_5100_firmware3.2 — 3.2.15.1

▶NVDcisco/encs_5400_firmware3.2 — 3.2.15.1

▶NVDcisco/ucs_e160s_m3_firmware< 3.2.15.1

▶NVDcisco/ucs_e180d_m3_firmware< 3.2.15.1

🔴Vulnerability Details

GHSA

GHSA-v2pg-m39g-cxhr: A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker↗2023-08-16

▶

CVEList

CVE-2023-20228: A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker↗2023-08-16

▶

📋Vendor Advisories

Cisco

Cisco Integrated Management Controller Cross-Site Scripting Vulnerability↗2023-08-16

▶