Cisco Unified Computing System Central Software contains a vulnerability that could allow an unauthenticated, remote attacker to conduct cross-site scripting attacks.
The vulnerability exists because the affected software fails to perform sufficient validation and sanitation of user-supplied input when processing crafted URLs. An unauthenticated, remote attacker could exploit the vulnerability by convincing a user to follow a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected site and allow the attacker to access sensitive browser-based information.
Cisco has confirmed the vulnerability in a security notice and has released software updates.
To exploit the vulnerability, the attacker may provide a link that directs a user to a malicious site and use misleading language or instructions in an attempt to persuade a user to follow the malicious link.
For additional information about cross-site scripting attacks and potential methods of mitigation, see the Cisco Applied Mitigation Bulletin Understanding Cross-Site Scripting (XSS) Threat Vectors
Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.