Executive Summary

Summary
Title Cisco Guard Enables Cross Site Scripting
Informations
Name cisco-sa-20060920-guardxss First vendor Publication 2006-09-18
Vendor Cisco Last vendor Modification 2006-09-20
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Cvss Base Score 2.6 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity High
Cvss Expoit Score 4.9 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

A vulnerability in the Cisco Guard may enable an attacker to send a web browser client to a malicious website with the use of Cross Site Scripting (XSS) when the Guard is providing anti-spoofing services between the web browser client and a webserver. The attacker may exploit this by providing a malicious URL for the web browser client to go to, often in email, followed off of a malicious website, or in an instant message. This issue may occur even if the protected website does not allow XSS. A software upgrade is required to fix this vulnerability. There is a workaround available to mitigate the effects of the vulnerability.

Original Source

Url : http://www.cisco.com/warp/public/707/cisco-sa-20060920-guardxss.shtml

Open Source Vulnerability Database (OSVDB)

Id Description
29035 Cisco Guard meta-refresh Tag XSS

Guard contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate unspecified malformed URL strings when anti-spoofing is enabled and the appliance issues a meta-refresh. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.