Saturday, April 13, 2024

Cisco BroadWorks Application Software Flaw Let Attackers conduct XSS Attack

Cisco released a fix for the medium impact vulnerability found on CommPilot Application Software, allowing cross-site scripting against the user interface.

The Cisco BroadWorks CommPilot Application allows authenticated users to upload configuration files on the platform.

The lack of file validation and broken access control on the vulnerable upload servlet allows any authenticated user to upload a file, which could be abused to run arbitrary code on the server.

Cisco’s BroadWorks Application Delivery Platform, BroadWorks Application Server (AS), and BroadWorks Xtended Services Platform (XSP) are affected by this vulnerability.

Vulnerability in detail:

The latest update for the Cisco BroadWorks CommPilot Application Software Cross-Site Scripting Vulnerability was published on August 30 by Cisco.

The web-based management interface does not properly validate user-supplied input, which lets an attacker exploit this vulnerability by persuading a user to click a crafted link. 

A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

They have released software updates that address this vulnerability, but no workarounds address it.

The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed-release information that is documented in this advisory.

Before upgrading devices, Cisco recommends its customers ensure that the memory and current hardware and software configurations will continue to be supported properly by the new release.

Fixed Release:

Cisco BroadWorks Application Delivery Platform with CommPilot-25, CommPilot-24, and CommPilot-23 ReleaseFirst Fixed Release
Release Independent (RI)RI 2023.06
Cisco BroadWorks Application Server Software ReleaseFirst Fixed Release
Earlier than 23.0Migrate to a fixed release.
Release Independent (RI)RI 2023.06
Cisco BroadWorks Xtended Services Platform Software ReleaseFirst Fixed Release
Earlier than 23.0Migrate to a fixed release.
Release Independent (RI)RI 2023.08

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.


Latest articles

Alert! Palo Alto RCE Zero-day Vulnerability Actively Exploited in the Wild

In a recent security bulletin, Palo Alto Networks disclosed a critical vulnerability in its...

6-year-old Lighttpd Flaw Impacts Intel And Lenovo Servers

The software supply chain is filled with various challenges, such as untracked security vulnerabilities...

Hackers Employ Deepfake Technology To Impersonate as LastPass CEO

A LastPass employee recently became the target of an attempted fraud involving sophisticated audio...

Sisence Data Breach, CISA Urges To Reset Login Credentials

In response to a recent data breach at Sisense, a provider of data analytics...

DuckDuckGo Launches Privacy Pro: 3-in-1 service With VPN

DuckDuckGo has launched Privacy Pro, a new subscription service that promises to enhance user...

Cyber Attack Surge by 28%:Education Sector at High Risk

In Q1 2024, Check Point Research (CPR) witnessed a notable increase in the average...

Midnight Blizzard’s Microsoft Corporate Email Hack Threatens Federal Agencies: CISA Warns

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive concerning a...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Top 3 SME Attack Vectors

Securing the Top 3 SME Attack Vectors

Cybercriminals are laying siege to small-to-medium enterprises (SMEs) across sectors. 73% of SMEs know they were breached in 2023. The real rate could be closer to 100%.

  • Stolen credentials
  • Phishing
  • Exploitation of vulnerabilities

Related Articles