Cisco Hyperflex Stored Cross-Site Scripting Vulnerability
Description
A vulnerability in the web-based management interface of Cisco HyperFlex software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected system. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by persuading a user of the interface to click a maliciously crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. Versions prior to 3.5(1a) are affected.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cisco HyperFlex web interface insufficiently validates input, enabling stored XSS via crafted links; fixed in version 3.5(1a).
Vulnerability
The web-based management interface of Cisco HyperFlex software prior to version 3.5(1a) does not sufficiently validate user-supplied input, leading to a stored cross-site scripting (XSS) vulnerability [1]. The issue resides in the interface's handling of user-provided data, allowing an unauthenticated, remote attacker to inject malicious script code that is stored and later executed in the context of the affected interface [1].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious link and persuading a user of the web-based management interface to click on it [1]. No authentication or special network position is required; the attacker only needs to deliver the link to a user (e.g., via email or phishing). Once the user clicks the link, the stored script executes in the browser session of the victim [1].
Impact
Successful exploitation allows the attacker to execute arbitrary script code in the context of the affected web-based management interface or access sensitive browser-based information, such as session tokens or cookies [1]. This can lead to further compromise of the HyperFlex system and exposure of sensitive data.
Mitigation
Cisco has released fixed software in version 3.5(1a) and later [1]. Users should upgrade to a patched release as soon as possible. No workarounds are available [1]. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <3.5(1a)
- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190220-hyper-xssmitrevendor-advisoryx_refsource_CISCO
- www.securityfocus.com/bid/107097mitrevdb-entryx_refsource_BID
News mentions
0No linked articles in our index yet.