Cisco DNA Center Access Contract Stored Cross-Site Scripting Vulnerability
Description
A vulnerability in the web-based management interface of Cisco DNA Center could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information. Cisco DNA Center versions prior to 1.2.5 are affected.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An authenticated, remote attacker can exploit a stored XSS vulnerability in Cisco DNA Center prior to 1.2.5 to execute script code or access sensitive browser info.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in the web-based management interface of Cisco DNA Center versions prior to 1.2.5. The flaw is due to insufficient validation of user-supplied input by the interface, allowing an authenticated attacker to inject malicious script code that is later served to other users. [1]
Exploitation
An attacker must first authenticate to the Cisco DNA Center web interface. The attacker then crafts a malicious link containing the XSS payload and persuades a victim user to click it. No additional privileges beyond standard authentication are required, and the attack relies on user interaction (clicking the link). [1]
Impact
Successful exploitation enables the attacker to execute arbitrary script code within the context of the victim's browser session in the management interface. This can lead to disclosure of sensitive browser-based information, such as session tokens or cookies, potentially allowing hijacking of the victim's session. [1]
Mitigation
Cisco has not released a software update that fixes this vulnerability at the time of advisory publication. No workarounds address the issue. Customers should monitor Cisco advisories for future fixed releases. [1]
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <1.2.5
- Cisco/Cisco Digital Network Architecture Center (DNA Center)v5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-dna-xssmitrevendor-advisoryx_refsource_CISCO
- www.securityfocus.com/bid/107315mitrevdb-entryx_refsource_BID
News mentions
0No linked articles in our index yet.