Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Cisco :: b1a-1649.htm

Cisco Wireless Control System XSS
Cisco Wireless Control System XSS
Cisco Wireless Control System XSS

This is a multi-part message in MIME format.

Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 7bit

Product Name: Cisco Wireless Control System
Date: 4 August, 2010
Original URL: 
Discovered: 8 July, 2010
Disclosed: 4 August, 2010


The Cisco Wireless Control System (WCS) is a web interface that allows centralised management
and reporting within a Cisco wireless infrastructure.


A Cross-site Scripting (XSS) vulnerability exists within the search function on the
Cisco Wireless Control System (WCS) web interface due to insufficient input validation.
This enables attackers to prepare links for a website that includes code that is executed
by the browser visiting this website.


The affected script is "/webacs/", namely the "searchText" parameter.
Although not tested due to limitations, it is likely that all other parameters related to
this script will also be affected by this issue.

Affected Versions: All versions of Cisco WCS up to and including  Some versions of
7.0 *may* be affected.  Interim versions 7.0(118.0) and 6.0(194.0) are not vulnerable.


8 July, 2010 - Contacted vendor.
8 July, 2010 - Vendor acknowledged and confirmed vulnerability - will include in maintenance patch.
4 August, 2010 - Vendor releases maintenance patch (Cisco Bug ID = CSCtf14288).
4 August, 2010 - Vulnerability publicly disclosed.


Discovered by Tom Neaves (Verizon Business)


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH