Cisco Small Business 300 Web-based Management Interface Persistent 跨站脚本攻击

CVE编号

CVE-2018-0407

利用情况

暂无

补丁情况

N/A

披露时间

2018-08-02

漏洞描述

Cisco Small Business 300 Series（Sx300）Managed Switches是美国思科（Cisco）公司的一款300系列的交换机设备。
Cisco Small Business 300 Series（Sx300）Managed Switches中基于Web的管理界面存在跨站脚本漏洞，该漏洞源于该界面未充分的验证用户提交的输入。远程攻击者可通过诱使该界面用户点击特制的链接利用该漏洞在该界面的上下文中执行任意脚本代码或访问基于浏览器的敏感信息。

解决建议

目前厂商暂未发布修复措施解决此安全问题，建议使用此软件的用户随时关注厂商主页或参考网址以获取解决办法：
https://www.cisco.com/

参考链接
http://www.securityfocus.com/bid/104947
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-s...

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	系统	cisco	sf300-08_firmware	*	From (including) 1.4.7	Up to (including) 1.4.7.06
	运行在以下环境
	系统	cisco	sf300-24mp_firmware	*	From (including) 1.4.7	Up to (including) 1.4.7.06
	运行在以下环境
	系统	cisco	sf300-24pp_firmware	*	From (including) 1.4.7	Up to (including) 1.4.7.06
	运行在以下环境
	系统	cisco	sf300-24p_firmware	*	From (including) 1.4.7	Up to (including) 1.4.7.06
	运行在以下环境
	系统	cisco	sf300-24_firmware	*	From (including) 1.4.7	Up to (including) 1.4.7.06
	运行在以下环境
	系统	cisco	sf300-48pp_firmware	*	From (including) 1.4.7	Up to (including) 1.4.7.06
	运行在以下环境
	系统	cisco	sf300-48p_firmware	*	From (including) 1.4.7	Up to (including) 1.4.7.06
	运行在以下环境
	系统	cisco	sf300-48_firmware	*	From (including) 1.4.7	Up to (including) 1.4.7.06
	运行在以下环境
	系统	cisco	sf302-08mpp_firmware	*	From (including) 1.4.7	Up to (including) 1.4.7.06
	运行在以下环境
	系统	cisco	sf302-08mp_firmware	*	From (including) 1.4.7	Up to (including) 1.4.7.06
	运行在以下环境
	系统	cisco	sf302-08pp_firmware	*	From (including) 1.4.7	Up to (including) 1.4.7.06
	运行在以下环境
	系统	cisco	sf302-08p_firmware	*	From (including) 1.4.7	Up to (including) 1.4.7.06
	运行在以下环境
	系统	cisco	sf302-08_firmware	*	From (including) 1.4.7	Up to (including) 1.4.7.06
	运行在以下环境
	系统	cisco	sg300-10mpp_firmware	*	From (including) 1.4.7	Up to (including) 1.4.7.06
	运行在以下环境
	系统	cisco	sg300-10mp_firmware	*	From (including) 1.4.7	Up to (including) 1.4.7.06
	运行在以下环境
	系统	cisco	sg300-10pp_firmware	*	From (including) 1.4.7	Up to (including) 1.4.7.06
	运行在以下环境
	系统	cisco	sg300-10p_firmware	*	From (including) 1.4.7	Up to (including) 1.4.7.06
	运行在以下环境
	系统	cisco	sg300-10sfp_firmware	*	From (including) 1.4.7	Up to (including) 1.4.7.06
	运行在以下环境
	系统	cisco	sg300-10_firmware	*	From (including) 1.4.7	Up to (including) 1.4.7.06
	运行在以下环境
	系统	cisco	sg300-20_firmware	*	From (including) 1.4.7	Up to (including) 1.4.7.06
	运行在以下环境
	系统	cisco	sg300-28mp_firmware	*	From (including) 1.4.7	Up to (including) 1.4.7.06
	运行在以下环境
	系统	cisco	sg300-28pp_firmware	*	From (including) 1.4.7	Up to (including) 1.4.7.06
	运行在以下环境
	系统	cisco	sg300-28p_firmware	*	From (including) 1.4.7	Up to (including) 1.4.7.06
	运行在以下环境
	系统	cisco	sg300-28sfp_firmware	*	From (including) 1.4.7	Up to (including) 1.4.7.06
	运行在以下环境
	系统	cisco	sg300-28_firmware	*	From (including) 1.4.7	Up to (including) 1.4.7.06
	运行在以下环境
	系统	cisco	sg300-52mp_firmware	*	From (including) 1.4.7	Up to (including) 1.4.7.06
	运行在以下环境
	系统	cisco	sg300-52p_firmware	*	From (including) 1.4.7	Up to (including) 1.4.7.06
	运行在以下环境
	系统	cisco	sg300-52_firmware	*	From (including) 1.4.7	Up to (including) 1.4.7.06
	运行在以下环境
	硬件	cisco	sf300-08	-	-
	运行在以下环境
	硬件	cisco	sf300-24	-	-
	运行在以下环境
	硬件	cisco	sf300-24mp	-	-
	运行在以下环境
硬件	cisco	sf300-24p	-	-
运行在以下环境
硬件	cisco	sf300-24pp	-	-
运行在以下环境
硬件	cisco	sf300-48	-	-
运行在以下环境
硬件	cisco	sf300-48p	-	-
运行在以下环境
硬件	cisco	sf300-48pp	-	-
运行在以下环境
硬件	cisco	sf302-08	-	-
运行在以下环境
硬件	cisco	sf302-08mp	-	-
运行在以下环境
硬件	cisco	sf302-08mpp	-	-
运行在以下环境
硬件	cisco	sf302-08p	-	-
运行在以下环境
硬件	cisco	sf302-08pp	-	-
运行在以下环境
硬件	cisco	sg300-10	-	-
运行在以下环境
硬件	cisco	sg300-10mp	-	-
运行在以下环境
硬件	cisco	sg300-10mpp	-	-
运行在以下环境
硬件	cisco	sg300-10p	-	-
运行在以下环境
硬件	cisco	sg300-10pp	-	-
运行在以下环境
硬件	cisco	sg300-10sfp	-	-
运行在以下环境
硬件	cisco	sg300-20	-	-
运行在以下环境
硬件	cisco	sg300-28	-	-
运行在以下环境
硬件	cisco	sg300-28mp	-	-
运行在以下环境
硬件	cisco	sg300-28p	-	-
运行在以下环境
硬件	cisco	sg300-28pp	-	-
运行在以下环境
硬件	cisco	sg300-28sfp	-	-
运行在以下环境
硬件	cisco	sg300-52	-	-
运行在以下环境
硬件	cisco	sg300-52mp	-	-
运行在以下环境
硬件	cisco	sg300-52p	-	-

攻击路径网络
攻击复杂度低
权限要求低
影响范围已更改
用户交互需要
可用性无
保密性低
完整性低

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CWE-ID 漏洞类型 CWE-79 在Web页面生成时对输入的转义处理不恰当（跨站脚本）

正文

Cisco Small Business 300 Web-based Management Interface Persistent 跨站脚本攻击

漏洞描述

解决建议

参考链接

受影响软件情况

相关阅读

Cisco Web Security Appliance devices安全机制绕过漏洞

JasPer拒绝服务漏洞

Oracle E-Business Suite Oracle Applications Framework UIX组件存在未明漏洞

Oracle E-Business Suite Oracle Applications Framework Popup Windows组件存在未明漏洞

发表评论取消回复

还没有评论，来说两句吧...

目录[+]