CVE-2018-17051

Vulnerability

The devices.php page in Cisco Configuration Manager (through 2014-11-19) reflects unsanitized user input from the id GET parameter into HTML output. Specifically, a crafted id value containing a closing double-quote and script tag triggers an XSS alert in the response body [1]. The vulnerable code path is reachable when the action parameter is set to edit and the id parameter is supplied with malicious content.

Exploitation

An attacker needs only to send a crafted HTTP GET request to http://127.0.0.1/cisco-config/devices.php?action=edit&id=. No authentication, write access, or user interaction is required. The injected script executes in the victim's browser context upon page load, as demonstrated by the alert(1) payload in reference [1].

Impact

Successful exploitation yields arbitrary JavaScript execution in the victim's browser session. This can lead to session hijacking, credential theft, or further attacks against the internal network. The compromise occurs at the client side with the attacker's script running in the same origin as the application.

Mitigation

No official patch is documented in the available references. The vendor (Cisco) has not disclosed a fix for this issue. As a workaround, administrators should sanitize all id parameter input before rendering, or disable the devices.php page if not needed. The vulnerability remains unpatched as of the last known release date (2014-11-19).