1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Cisco says its server management tool has a serious security flaw

    From TechnologyDaily@1337:1/100 to All on Thu Apr 27 12:30:03 2023
    Cisco says its server management tool has a serious security flaw

    Date:
    Thu, 27 Apr 2023 11:20:53 +0000

    Description:
    The patch is still in the works and there are no workarounds available, Cisco warns.

    FULL STORY ======================================================================

    Cisco has reported finding a zero-day flaw in one of its products, which
    could result in threat actors running malicious code remotely, or stealing sensitive data from target endpoints .

    The vulnerability was found in a product called Prime Collaboration
    Deployment (PCD), a tool used by IT teams to migrate, or upgrade their servers. The flaw is now tracked as CVE-2023-20060, and is deemed of Medium severity with a 6.1 score. Its described as a cross-site scripting vulnerability that can be abused to launch arbitrary code.

    However, the patch is still in development, and there are no workarounds for the issue. Needs victim interaction

    A typical cross-site scripting (XSS) attack is a form of an injection, where the threat actor injects a malicious script into an otherwise legitimate, clean website that the users trust.

    "This vulnerability exists because the web-based management interface does
    not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link," Cisco said.

    "A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information." Read more

    How cross-site scripting attacks work


    This router is vulnerable to fake updates and cross-site scripting attacks


    Here are the best malware removal tools

    In other words, the vulnerability can be exploited, but it depends on the victims action. The attacker would need to persuade the victim to click a specially crafted, malicious link.

    The company said a fix is in the works but did not provide any timeline as to when it might get released. There are no workarounds.

    While that might sound problematic, the Cisco Product Security Incident Response Team (PSIRT) found no evidence of the flaw being used in the wild.

    The flaw was discovered by Pierre Vivegnis of NATO Cyber Security Centre (NCSC), Cisco said in its advisory. These are the best firewalls around

    Via: BleepingComputer



    ======================================================================
    Link to news story: https://www.techradar.com/news/cisco-says-its-server-management-tool-has-a-ser ious-security-flaw


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)