CVE-2005-3921

Name of the Vulnerable Software and Affected Versions Cisco IOS version 12.0(2a)

Description A cross-site scripting (XSS) issue exists in the Cisco IOS Web Server, allowing remote attackers to inject arbitrary web script or HTML. This can be achieved by either viewing packets containing HTML via an HTTP interface to the contents of memory buffers, demonstrated by the URI /level/15/exec/-/buffers/assigned/dump, or by sending the router Cisco Discovery Protocol (CDP) packets with an HTML payload that an administrator views via the CDP status pages. The vulnerability requires a user to browse a page containing dynamic content with injected HTML commands, which could be interpreted by the client browser and potentially execute malicious commands.

Recommendations For Cisco IOS version 12.0(2a), update to a version that includes the fix for this issue, as Cisco will be making free software available to address this vulnerability. As a temporary workaround, consider restricting access to the HTTP interface and CDP status pages to minimize the risk of exploitation. Avoid using the /level/15/exec/-/buffers/assigned/dump URI until the issue is resolved.