Cisco Unified Operations Manager contains a cross-site scripting vulnerability that could allow an unauthenticated, remote attacker to conduct cross-site scripting attacks.
The vulnerability is due to improper validation of user input supplied to the Common Services Device Center component used by the affected application. An unauthenticated, remote attacker could exploit this vulnerability by convincing a user to view a malicious link. If successful, the attacker could conduct cross-site scripting attacks and access sensitive information.
Exploit code is available.
Cisco has confirmed this vulnerability; however, software updates are not available.
An attacker cannot directly exploit this vulnerability and instead must rely on user participation to accomplish an exploit. The attacker must convince a user to view a malicious link. The attacker may provide links to users in e-mail or instant messages or by posting links to public websites. When followed, the malicious link may trigger the vulnerability and allow the attacker to access sensitive information that may include user credentials. Attackers could use the information gained from the attack to launch further attacks against a targeted system.
This vulnerability was discovered and reported to Cisco Systems by Brett Gervasoni of Sense of Security.