MA-958.082023: MyCERT Advisory - Cisco BroadWorks CommPilot Application Software Cross-Site Scripting Vulnerability
Recently, a vulnerability in the web-based management interface of Cisco BroadWorks CommPilot Application Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.
This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
3.0 Affected Products
At the time of publication, this vulnerability affected the following Cisco products:
- BroadWorks Application Delivery Platform
- BroadWorks Application Server (AS)
- BroadWorks Xtended Services Platform (XSP)
There are no workarounds that address this vulnerability. The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Kindly visit https://www.cisco.com/go/psirt for more information.
Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact MyCERT through the following channels:
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 09:00 -18:00 MYT