CiscoWorks Common Services Directory Traversal and Cross Site Scripting


Description   Two vulnerabilities have been identified in Cisco CiscoWorks Common Services, which could be exploited by attackers to gain knowledge of sensitive information.
The first issue is caused by an input validation error in the CiscoWorks Homepage Auditing component, which could allow directory traversal attacks.
The second vulnerability is caused by an input validation error in the Framework Help Servlet, which could allow cross site scripting attacks.
     
Vulnerable Products   Vulnerable Software:
CiscoWorks Common Services version 3.3 and prior
     
Solution   Apply patches : http://tools.cisco.com/security/center/viewAlert.x?alertId=23088http://tools.cisco.com/security/center/viewAlert.x?alertId=23089
     
CVE   CVE-2011-0966
CVE-2011-0961
     
References   http://tools.cisco.com/security/center/viewAlert.x?alertId=23088
http://tools.cisco.com/security/center/viewAlert.x?alertId=23089
http://seclists.org/fulldisclosure/2011/May/369
http://seclists.org/fulldisclosure/2011/May/382
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
Directory traversal
3.2.0
     


 
 
 
 
 Risk level 
Moderate 

 Vulnerability First Public Report Date 
2011-05-19 

 Target Type 
Server 

 Possible exploit 
Local & Remote