Details of VAR-201710-0650

ID

VAR-201710-0650

CVE

CVE-2017-12272

TITLE

Cisco IOS XE Software cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-009288

DESCRIPTION

A vulnerability in the web framework code of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface of the affected software. The vulnerability is due to insufficient input validation of some parameters that are passed to the web server of the affected software. An attacker could exploit this vulnerability by convincing a user of the web interface to access a malicious link or by intercepting a user request for the affected web interface and injecting malicious code into the request. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected web interface or allow the attacker to access sensitive browser-based information. Cisco Bug IDs: CSCvb09516. Vendors have confirmed this vulnerability Bug ID CSCvb09516 It is released as.Information may be obtained and information may be altered. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Web framework is one of the Web frameworks

Trust: 1.98

sources: NVD: CVE-2017-12272 // JVNDB: JVNDB-2017-009288 // BID: 101494 // VULHUB: VHN-102778

AFFECTED PRODUCTS

vendor:	cisco	model:	ios xe	scope:	eq	version:	16.3\(1\)	Trust: 1.6
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.2.0	Trust: 1.6
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.1.2	Trust: 1.6
vendor:	cisco	model:	ios xe	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	ios xe software	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	ios	scope:	eq	version:	16.2	Trust: 0.3
vendor:	cisco	model:	ios	scope:	eq	version:	16.1.2	Trust: 0.3
vendor:	cisco	model:	ios	scope:	eq	version:	16.3(1)	Trust: 0.3

sources: BID: 101494 // JVNDB: JVNDB-2017-009288 // CNNVD: CNNVD-201710-885 // NVD: CVE-2017-12272

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-12272
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-12272
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201710-885
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-102778
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-12272
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-102778
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-12272
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-102778 // JVNDB: JVNDB-2017-009288 // CNNVD: CNNVD-201710-885 // NVD: CVE-2017-12272

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-102778 // JVNDB: JVNDB-2017-009288 // NVD: CVE-2017-12272

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201710-885

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201710-885

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-009288

PATCH

title:	cisco-sa-20171018-cisco-ios-xe	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171018-cisco-ios-xe	Trust: 0.8
title:	Cisco IOS XE Software Web Fixes for framework cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=75867	Trust: 0.6

sources: JVNDB: JVNDB-2017-009288 // CNNVD: CNNVD-201710-885

EXTERNAL IDS

db:	NVD	id:	CVE-2017-12272	Trust: 2.8
db:	BID	id:	101494	Trust: 2.0
db:	SECTRACK	id:	1039627	Trust: 1.7
db:	JVNDB	id:	JVNDB-2017-009288	Trust: 0.8
db:	CNNVD	id:	CNNVD-201710-885	Trust: 0.7
db:	VULHUB	id:	VHN-102778	Trust: 0.1

sources: VULHUB: VHN-102778 // BID: 101494 // JVNDB: JVNDB-2017-009288 // CNNVD: CNNVD-201710-885 // NVD: CVE-2017-12272

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20171018-cisco-ios-xe	Trust: 2.0
url:	http://www.securityfocus.com/bid/101494	Trust: 1.7
url:	http://www.securitytracker.com/id/1039627	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-12272	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-12272	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3

sources: VULHUB: VHN-102778 // BID: 101494 // JVNDB: JVNDB-2017-009288 // CNNVD: CNNVD-201710-885 // NVD: CVE-2017-12272

CREDITS

Cisco

Trust: 0.3

sources: BID: 101494

SOURCES

db:	VULHUB	id:	VHN-102778
db:	BID	id:	101494
db:	JVNDB	id:	JVNDB-2017-009288
db:	CNNVD	id:	CNNVD-201710-885
db:	NVD	id:	CVE-2017-12272

LAST UPDATE DATE

2024-11-23T22:42:03.184000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-102778	date:	2019-10-09T00:00:00
db:	BID	id:	101494	date:	2017-10-18T00:00:00
db:	JVNDB	id:	JVNDB-2017-009288	date:	2017-11-08T00:00:00
db:	CNNVD	id:	CNNVD-201710-885	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2017-12272	date:	2024-11-21T03:09:12.503

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-102778	date:	2017-10-19T00:00:00
db:	BID	id:	101494	date:	2017-10-18T00:00:00
db:	JVNDB	id:	JVNDB-2017-009288	date:	2017-11-08T00:00:00
db:	CNNVD	id:	CNNVD-201710-885	date:	2017-10-24T00:00:00
db:	NVD	id:	CVE-2017-12272	date:	2017-10-19T08:29:00.373