Cisco Meeting Server 1.7 Base Cross Site Scripting Vulnerability
9 Sep. 2016
Cross-site scripting (XSS) vulnerability in the web-based management interface in Cisco Meeting Server (formerly Acano Conferencing Server) 1.7 through 1.9 allows remote attackers to inject arbitrary web script or HTML via crafted parameters, aka Bug ID CSCva19922.
* Cisco Meeting Server 1.7 Base
* Cisco Meeting Server 1.8 Base
* Cisco Meeting Server 1.9 Base
A vulnerability in the HTTP web-based management interface of Cisco Meeting Server Software, formerly Acano Conferencing Server, could allow an unauthenticated, remote attacker to conduct a persistent cross-site scripting (XSS) attack against a user of the web interface of an affected system.
The vulnerability is due to improper input validation of certain parameters that are passed to an affected device via an HTTP request. An attacker could exploit this vulnerability by persuading a user to follow a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected management interface or allow the attacker to access sensitive browser-based information.
Additional information about XSS attacks and potential mitigations can be found in the following resources:
OWASP Attack Reference: Cross-site Scripting (XSS)
Cisco Applied Mitigation Bulletin: Understanding Cross-Site Scripting (XSS) Threat Vectors
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.