cnvd - cnvd-2017-32978

CNVD-2017-32978

Vulnerability from cnvd - Published: 2017-11-07

Title

Cisco Spark Messaging Software HTML注入漏洞

Description

Cisco Spark Messaging Software是美国思科（Cisco）公司的一套协同合作服务解决方案。该方案通过提供一个虚拟空间，让处在任何地点的团队可以一起工作、通话和视频等，并能够讨论议题、储存团队的档案和文件等。 Cisco Spark Messaging Software中的Web UI存在跨站脚本漏洞，该漏洞源于程序未能充分的执行输入验证。远程攻击者可利用该漏洞迫使用户执行攻击者指定的代码或检索用户的敏感信息。

Severity

低

Patch Name

Cisco Spark Messaging Software HTML注入漏洞的补丁

Patch Description

Formal description

用户可参考如下厂商提供的安全补丁以修复该漏洞： https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171004-sprk

Reference

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171004-sprk http://www.securityfocus.com/bid/101150

Impacted products

Name
Cisco Spark 0

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "101150"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-12269"
    }
  },
  "description": "Cisco Spark Messaging Software\u662f\u7f8e\u56fd\u601d\u79d1\uff08Cisco\uff09\u516c\u53f8\u7684\u4e00\u5957\u534f\u540c\u5408\u4f5c\u670d\u52a1\u89e3\u51b3\u65b9\u6848\u3002\u8be5\u65b9\u6848\u901a\u8fc7\u63d0\u4f9b\u4e00\u4e2a\u865a\u62df\u7a7a\u95f4\uff0c\u8ba9\u5904\u5728\u4efb\u4f55\u5730\u70b9\u7684\u56e2\u961f\u53ef\u4ee5\u4e00\u8d77\u5de5\u4f5c\u3001\u901a\u8bdd\u548c\u89c6\u9891\u7b49\uff0c\u5e76\u80fd\u591f\u8ba8\u8bba\u8bae\u9898\u3001\u50a8\u5b58\u56e2\u961f\u7684\u6863\u6848\u548c\u6587\u4ef6\u7b49\u3002\r\n\r\nCisco Spark Messaging Software\u4e2d\u7684Web UI\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u80fd\u5145\u5206\u7684\u6267\u884c\u8f93\u5165\u9a8c\u8bc1\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8feb\u4f7f\u7528\u6237\u6267\u884c\u653b\u51fb\u8005\u6307\u5b9a\u7684\u4ee3\u7801\u6216\u68c0\u7d22\u7528\u6237\u7684\u654f\u611f\u4fe1\u606f\u3002",
  "discovererName": "James Schwinabart of Qualcomm Technologies, Inc",
  "formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u5382\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u8865\u4e01\u4ee5\u4fee\u590d\u8be5\u6f0f\u6d1e\uff1a\r\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171004-sprk",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-32978",
  "openTime": "2017-11-07",
  "patchDescription": "Cisco Spark Messaging Software\u662f\u7f8e\u56fd\u601d\u79d1\uff08Cisco\uff09\u516c\u53f8\u7684\u4e00\u5957\u534f\u540c\u5408\u4f5c\u670d\u52a1\u89e3\u51b3\u65b9\u6848\u3002\u8be5\u65b9\u6848\u901a\u8fc7\u63d0\u4f9b\u4e00\u4e2a\u865a\u62df\u7a7a\u95f4\uff0c\u8ba9\u5904\u5728\u4efb\u4f55\u5730\u70b9\u7684\u56e2\u961f\u53ef\u4ee5\u4e00\u8d77\u5de5\u4f5c\u3001\u901a\u8bdd\u548c\u89c6\u9891\u7b49\uff0c\u5e76\u80fd\u591f\u8ba8\u8bba\u8bae\u9898\u3001\u50a8\u5b58\u56e2\u961f\u7684\u6863\u6848\u548c\u6587\u4ef6\u7b49\u3002\r\n\r\nCisco Spark Messaging Software\u4e2d\u7684Web UI\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u80fd\u5145\u5206\u7684\u6267\u884c\u8f93\u5165\u9a8c\u8bc1\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8feb\u4f7f\u7528\u6237\u6267\u884c\u653b\u51fb\u8005\u6307\u5b9a\u7684\u4ee3\u7801\u6216\u68c0\u7d22\u7528\u6237\u7684\u654f\u611f\u4fe1\u606f\u3002\r\n\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Cisco Spark Messaging Software HTML\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Cisco Spark 0"
  },
  "referenceLink": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171004-sprk\r\nhttp://www.securityfocus.com/bid/101150",
  "serverity": "\u4f4e",
  "submitTime": "2017-10-09",
  "title": "Cisco Spark Messaging Software HTML\u6ce8\u5165\u6f0f\u6d1e"
}

CVE-2017-12269 (GCVE-0-2017-12269)

Vulnerability from cvelistv5 – Published: 2017-10-05 07:00 – Updated: 2024-08-05 18:28

Summary

A vulnerability in the web UI of Cisco Spark Messaging Software could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack. The vulnerability is due to insufficient input validation by the web UI of the affected software. An attacker could exploit this vulnerability by injecting XSS content into the web UI of the affected software. A successful exploit could allow the attacker to force a user to execute code of the attacker's choosing or allow the attacker to retrieve sensitive information from the user. Cisco Bug IDs: CSCvf70587, CSCvf70592.

Severity ?

No CVSS data available.

CWE

CWE-79

Assigner

cisco

References

URL

Tags

	https://tools.cisco.com/security/center/content/C…	x_refsource_CONFIRM
	http://www.securityfocus.com/bid/101150	vdb-entryx_refsource_BID

Impacted products

	Vendor	Product	Version
	n/a	Cisco Spark Messaging	Affected: Cisco Spark Messaging

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T18:28:16.645Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171004-sprk"
          },
          {
            "name": "101150",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/101150"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Cisco Spark Messaging",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Cisco Spark Messaging"
            }
          ]
        }
      ],
      "datePublic": "2017-10-05T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability in the web UI of Cisco Spark Messaging Software could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack. The vulnerability is due to insufficient input validation by the web UI of the affected software. An attacker could exploit this vulnerability by injecting XSS content into the web UI of the affected software. A successful exploit could allow the attacker to force a user to execute code of the attacker\u0027s choosing or allow the attacker to retrieve sensitive information from the user. Cisco Bug IDs: CSCvf70587, CSCvf70592."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-10-06T09:57:01",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171004-sprk"
        },
        {
          "name": "101150",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/101150"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@cisco.com",
          "ID": "CVE-2017-12269",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Cisco Spark Messaging",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Cisco Spark Messaging"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A vulnerability in the web UI of Cisco Spark Messaging Software could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack. The vulnerability is due to insufficient input validation by the web UI of the affected software. An attacker could exploit this vulnerability by injecting XSS content into the web UI of the affected software. A successful exploit could allow the attacker to force a user to execute code of the attacker\u0027s choosing or allow the attacker to retrieve sensitive information from the user. Cisco Bug IDs: CSCvf70587, CSCvf70592."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171004-sprk",
              "refsource": "CONFIRM",
              "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171004-sprk"
            },
            {
              "name": "101150",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/101150"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2017-12269",
    "datePublished": "2017-10-05T07:00:00",
    "dateReserved": "2017-08-03T00:00:00",
    "dateUpdated": "2024-08-05T18:28:16.645Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2017-32978

CVE-2017-12269 (GCVE-0-2017-12269)

Tags

Sightings

Nomenclature