CVE-2017-6776

Name of the Vulnerable Software and Affected Versions Cisco Elastic Services Controller (ESC) versions 2.2(9.76) and 2.3(1)

Description The issue is related to insufficient validation of user-supplied input by the affected software, allowing an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface. An attacker could exploit this by convincing a user to access a malicious link or by intercepting a user request and injecting malicious code into the request. This could allow the attacker to execute arbitrary script code in the context of the affected site or access sensitive browser-based information.

Recommendations For version 2.2(9.76), update to a fixed version to mitigate the risk. For version 2.3(1), update to a fixed version to mitigate the risk. As a temporary workaround, consider restricting access to the web interface until a patch is available.