Cisco Enterprise NFV Infrastructure Software Cross-site Scripting Vulnerability
Description
A vulnerability in the web portal framework of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface. The vulnerability is due to improper input validation of log file content stored on the affected device. An attacker could exploit this vulnerability by modifying a log file with malicious code and getting a user to view the modified log file. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or to access sensitive, browser-based information.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cisco NFVIS web portal suffers from stored XSS via log file manipulation, allowing authenticated attackers to execute arbitrary scripts.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in the web portal framework of Cisco Enterprise NFV Infrastructure Software (NFVIS). The flaw is due to improper input validation of log file content stored on the device. An authenticated attacker can inject malicious script code into a log file, which is later rendered in the web interface without sanitization. Affected versions are those earlier than NFVIS Release 3.11.1 [1].
Exploitation
An attacker must have authenticated access to the NFVIS device and the ability to modify log files (e.g., via the CLI or API). The attacker writes malicious JavaScript into a log entry. To trigger the XSS, the attacker must then convince a user (typically another administrator) to view the modified log file through the web-based interface. No additional privileges or user interaction beyond viewing the log are required [1].
Impact
Successful exploitation allows the attacker to execute arbitrary script code in the context of the affected web interface. This can lead to disclosure of sensitive browser-based information (e.g., session tokens, cookies) or actions performed on behalf of the victim user. The attacker gains the ability to perform actions with the privileges of the user viewing the log, potentially compromising the entire NFVIS management session [1].
Mitigation
Cisco has released software updates to address this vulnerability. The fix is included in NFVIS Release 3.11.1 and later. No workarounds are available. Users should upgrade to a fixed release as soon as possible [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Cisco/Cisco Enterprise NFV Infrastructure Softwarev5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190807-nfv-xssmitrevendor-advisoryx_refsource_CISCO
News mentions
0No linked articles in our index yet.