CVE-2016-1305

Vulnerability

Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM) release 1.1 is affected by a reflected cross-site scripting (XSS) vulnerability. The flaw stems from insufficient sanitization of HTML entities returned to the end user in the web framework, allowing arbitrary web script or HTML injection via crafted vectors. No other Cisco products are currently known to be affected [1].

Exploitation

An unauthenticated, remote attacker can exploit this vulnerability by convincing a user to access a malicious link containing the injected payload. The attacker does not require any prior authentication or special network position beyond reachability to the APIC-EM interface. Successful exploitation relies on user interaction (clicking the crafted link) [1].

Impact

Successful exploitation allows the attacker to execute arbitrary script code in the context of the affected APIC-EM web interface. This can lead to session hijacking, credential theft, or other actions that the victim's browser can perform within the application's security context, compromising confidentiality and integrity of user data [1].

Mitigation

Cisco has released software updates to address this vulnerability. Customers should upgrade to a fixed version of APIC-EM to remediate the issue. No workarounds are available. The advisory is available at the Cisco Security Advisory link [1].