Cisco Context Multiple Vulnerabilities
Severity Rating: Medium
Multiple vulnerabilities have been identified in Cisco Context and they can be exploited to bypass security restrictions, conduct cross-site scripting attacks and conduct other attacks. Cisco has issued an update to address these vulnerabilities.
Multiple vulnerabilities have been identified in Cisco Context and they can be exploited to affect the integrity of the user’s access, conduct cross-site scripting attacks and conduct other attacks. The vulnerabilities identified are as follows:
1. The first vulnerability exists because the software does not properly filter HTML code from user-supplied input before displaying the input and this can be exploited by remote attackers to conduct cross-site scripting attacks. This vulnerability can allow remote attackers to create a specially crafted URL that, when loaded by the user will cause execution of arbitrary scripting code by the user’s browser. The code will originate from the site running the Cisco Context Directory Agent software and will run in the security context of that site. This is will make the code to access the user’s cookies, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
2. The second vulnerability exists due to insufficient authorization enforcement and it could be exploited by remote attackers by accessing an active session and perform administrative actions.
3. Another vulnerability exists because of insufficient validation of RADIUS accounting messages. This can be exploited by remote attackers by replaying crafted RADIUS accounting messages and affect the contents of the CDA cache.
Cisco has issued an update to address the vulnerabilities.
· Cisco Context Directory Agent
Users are advised to apply updates.
More information about the update is available on:
Cisco Security Tools
The information provided herein is on "as is" basis, without warranty of any kind.
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
9th Floor, Stratton Court
La Poudriere Street