CVE-2017-12307

Name of the Vulnerable Software and Affected Versions: Cisco Small Business 300 Series Managed Switches (affected versions not specified) Cisco Small Business 500 Series Stackable Managed Switches (affected versions not specified) Cisco 350 Series Managed Switches (affected versions not specified) Cisco 350X Series Stackable Managed Switches (affected versions not specified) Cisco 550X Series Stackable Managed Switches (affected versions not specified) Cisco ESW2 Series Advanced Switches (affected versions not specified)

Description: A vulnerability in the web framework of Cisco Small Business Managed Switches software could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the web interface of an affected system. The issue is due to insufficient input validation of parameters passed to the web server. An attacker could exploit this by convincing a user to follow a malicious link or by intercepting and injecting code into a user request. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected web interface or access sensitive browser-based information.

Recommendations: For Cisco Small Business 300 Series Managed Switches, update the software to a version that includes the fix for the issue. For Cisco Small Business 500 Series Stackable Managed Switches, update the software to a version that includes the fix for the issue. For Cisco 350 Series Managed Switches, update the software to a version that includes the fix for the issue. For Cisco 350X Series Stackable Managed Switches, update the software to a version that includes the fix for the issue. For Cisco 550X Series Stackable Managed Switches, update the software to a version that includes the fix for the issue. For Cisco ESW2 Series Advanced Switches, update the software to a version that includes the fix for the issue. As a temporary workaround, consider restricting access to the web interface of the affected system until a patch is available.