Cisco Digital Network Architecture Center Stored Cross-Site Scripting Vulnerability
Description
A vulnerability in the web-based management interface of Cisco Digital Network Architecture (DNA) Center could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker needs administrator credentials. This vulnerability affects Cisco DNA Center Software releases earlier than 1.3.0.6 and 1.3.1.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Cisco DNA Center web-based management interface allows authenticated admins to inject arbitrary script via insufficient input validation. Fixed in 1.3.0.6 and 1.3.1.4.
Vulnerability
The vulnerability is a stored cross-site scripting (XSS) issue in the web-based management interface of Cisco DNA Center Software. It exists due to insufficient validation of user-supplied input [1]. Affected versions are those earlier than 1.3.0.6 and 1.3.1.4 [1]. The attack requires administrator credentials to access the management interface [1].
Exploitation
An authenticated attacker with administrator privileges can exploit this vulnerability by crafting a malicious link and persuading a user (e.g., another administrator) to click it [1]. The attacker does not need network-level access beyond normal management connectivity. The stored XSS payload is delivered via the crafted link and executed when the target user interacts with the affected interface [1].
Impact
Successful exploitation allows the attacker to execute arbitrary script code in the security context of the victim's browser session on the management interface [1]. This can lead to access to sensitive, browser-based information, such as session tokens or displayed data, and could potentially be used to perform administrative actions on behalf of the victim [1]. The attacker gains no additional system-level privileges but compromises the confidentiality and integrity of the management interface session [1].
Mitigation
Cisco has released fixed versions: 1.3.0.6 and 1.3.1.4 and later [1]. Users should upgrade to these versions using the System Updates feature [1]. There is no workaround described in the advisory; upgrading is the recommended action [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <1.3.1.4
- Cisco/Cisco Digital Network Architecture Center (DNA Center)v5Range: 1.3.0.6
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190205-dnac-xssmitrevendor-advisoryx_refsource_CISCO
- packetstormsecurity.com/files/157668/Cisco-Digital-Network-Architecture-Center-1.3.1.4-Cross-Site-Scripting.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.