CVE-2008-2165

Vulnerability

The vulnerability is a cross-site scripting (XSS) issue in the AccessCodeStart.asp page of Cisco Building Broadband Service Manager (BBSM) Captive Portal version 5.3. The msg parameter is not properly sanitized, allowing remote attackers to inject arbitrary web script or HTML [1][2].

Exploitation

An attacker can exploit this vulnerability remotely without authentication, though the attack complexity is medium (likely requiring user interaction such as clicking a crafted link). The attacker crafts a malicious URL containing the payload in the msg parameter and lures a victim to visit it [2].

Impact

Successful exploitation results in partial integrity impact (e.g., defacement or phishing) but no confidentiality or availability impact, as per the CVSS score [2]. The attacker can execute arbitrary script in the victim's browser within the context of the vulnerable site.

Mitigation

No specific mitigation is provided in the available references [1][2]. Given the age of the vulnerability (2008), Cisco BBSM Captive Portal 5.3 is likely end-of-life; users should consult Cisco for any remaining guidance or upgrade to a supported solution.