CVE-2009-0470

Vulnerability

Multiple cross-site scripting (XSS) vulnerabilities exist in the HTTP server component of Cisco IOS version 12.4(23). The flaws occur when the server fails to properly sanitize user-supplied input passed via the PATH_INFO to the default URI under level/15/exec/-/ or exec/. This allows remote attackers to inject arbitrary web script or HTML [1]. This issue is distinct from CVE-2008-3821.

Exploitation

An attacker can exploit these vulnerabilities by sending a crafted HTTP request to the affected device with malicious script embedded in the PATH_INFO string. No authentication is required, and the attacker only needs network access to the device's HTTP server. The attack is executed when a user browses to the crafted URL, leading to script execution in the context of the vulnerable server.

Impact

Successful exploitation allows an attacker to inject arbitrary web script or HTML, potentially leading to session hijacking, defacement, or theft of sensitive information such as authentication cookies. The attack operates within the security context of the affected web server, which typically runs with limited privileges but can expose critical device management interfaces.

Mitigation

Cisco has not released a specific fixed version in the available references [1]. Administrators are advised to disable the HTTP server if not required, or restrict access via access control lists. Upgrading to a later IOS version that addresses this vulnerability is recommended. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.