Cisco Unified Operations Manager contains multiple cross-site scripting vulnerabilities that could allow an unauthenticated, remote attacker to conduct cross-site scripting attacks.
The vulnerability is due to insufficient validation of user-supplied input to certain scripts that make up the affected application. An unauthenticated, remote attacker could exploit this vulnerability by convincing a user to view a malicious link. If successful, the attacker could conduct cross-site scripting attacks and gain access to sensitive information.
Exploit code is available.
Cisco has confirmed this vulnerability and has released updated software.
An attacker cannot directly exploit this vulnerability without user participation. The attacker must convince the user to view a malicious link, likely provided in an e-mail or instant message.
These vulnerabilities were discovered and reported to Cisco Systems by Brett Gervasoni of Sense of Security.