CVE-2019-12668

Name of the Vulnerable Software and Affected Versions Cisco IOS and Cisco IOS XE Software (affected versions not specified)

Description The issue is related to insufficient input validation of the banner parameter in the web framework code, allowing an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web interface. An attacker could exploit this by crafting a banner parameter and saving it, then convincing a user to access a malicious link or intercepting a user request and injecting malicious code. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected web interface or access sensitive browser-based information.

Recommendations For Cisco IOS and Cisco IOS XE Software, update to a version that includes the fix for this issue, as software updates have been released by Cisco to address this vulnerability. As a temporary workaround, consider restricting access to the web interface of the affected software to minimize the risk of exploitation. Avoid using the banner parameter in the affected web interface until the issue is resolved.