CVE-2015-6337

Vulnerability

The cross-site scripting vulnerability exists in the Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM) version 1.0.10. The flaw occurs in the Simple Network Management Protocol (SNMP) query process, where user-supplied input—specifically the hostname returned in an SNMP response—is not properly sanitized before being rendered in the web interface [1].

Exploitation

An unauthenticated, remote attacker can exploit this vulnerability by making a device on the network respond to an SNMP request with a crafted hostname containing malicious web script or HTML. No authentication or special network position beyond the ability to influence an SNMP response is required [1].

Impact

Successful exploitation allows the attacker to inject arbitrary web script or HTML in the context of the affected APIC-EM web interface. This can lead to disclosure of sensitive browser-based information and execution of actions on behalf of an authenticated user who views the malicious content [1].

Mitigation

As of the advisory publication date (January 25, 2016), Cisco had not released a software update to fix this vulnerability. No workarounds are available. Customers are advised to monitor the Cisco Security Advisories and Responses archive for future updates [1].