{"vuid":"VU#830316","idnumber":"830316","name":"Cisco Prime Network Control System (NCS) and Wireless Control System (WCS) vulnerable to cross-site scripting (XSS)","keywords":["Cisco","network control system","XSS","cross-site scripting","input validation","CWE-79","CSCud18375","CSCty22931","CVE-2012-5990"],"overview":"Cisco Prime NCS and WCS Health Monitor Login pages contain a reflected cross-site scripting (XSS) vulnerability (CWE-79).","clean_desc":"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nCisco Prime Network Control System (NCS) and Wireless Control System (WCS) Health Monitor Login pages contain an input validation error which results in a reflected cross-site scripting vulnerability that can allow an attacker to inject arbitrary HTML content (including script). Please see Cisco Release Note Enclosure (RNE) CSCud18375 (login required) for more information.","impact":"An attacker can conduct a cross-site scripting attack which may be used to inject arbitrary HTML content (including script) into a web page presented to the user. JavaScript can be used to steal authentication cookies or other sensitive information.","resolution":"We are currently unaware of a practical solution to this problem.","workarounds":"","sysaffected":"","thanks":"Thanks to Tenable Network Security for reporting this vulnerability.","author":"This document was written by Adam Rauf.","public":["http://cwe.mitre.org/data/definitions/79.html","https://tools.cisco.com/bugsearch/bug/CSCud18375"],"cveids":["CVE-2012-5990"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2013-05-22T15:59:12Z","publicdate":"2013-09-03T00:00:00Z","datefirstpublished":"2013-09-03T15:49:50Z","dateupdated":"2013-09-13T19:22:01Z","revision":52,"vrda_d1_directreport":"1","vrda_d1_population":"1","vrda_d1_impact":"1","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"M","cvss_authentication":null,"cvss_confidentialityimpact":"P","cvss_integrityimpact":"P","cvss_availabilityimpact":"N","cvss_exploitablity":null,"cvss_remediationlevel":"U","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"N","cvss_targetdistribution":"L","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"5.8","cvss_basevector":"AV:N/AC:M/Au:N/C:P/I:P/A:N","cvss_temporalscore":"5.5","cvss_environmentalscore":"1.4","cvss_environmentalvector":"CDP:N/TD:L/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}