Details of VAR-201708-1332

ID

VAR-201708-1332

CVE

CVE-2017-6776

TITLE

Cisco Elastic Services Controller Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2017-007251

DESCRIPTION

A vulnerability in the web framework of Cisco Elastic Services Controller (ESC) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface. The vulnerability is due to insufficient validation of user-supplied input by the affected software. An attacker could exploit this vulnerability by convincing a user to access a malicious link or by intercepting a user request and injecting malicious code into the request. An exploit could allow the attacker to execute arbitrary script code in the context of the affected site or allow the attacker to access sensitive browser-based information. Cisco Bug IDs: CSCvd76324. Known Affected Releases: 2.2(9.76) and 2.3(1). Vendors have confirmed this vulnerability Bug ID CSCvd76324 It is released as.Information may be obtained and information may be altered. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks

Trust: 1.98

sources: NVD: CVE-2017-6776 // JVNDB: JVNDB-2017-007251 // BID: 100370 // VULHUB: VHN-114979

AFFECTED PRODUCTS

vendor:	cisco	model:	elastic services controller	scope:	eq	version:	2.3\(1\)	Trust: 1.6
vendor:	cisco	model:	elastic services controller	scope:	eq	version:	2.2\(9.76\)	Trust: 1.6
vendor:	cisco	model:	elastic services controller	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	virtual managed services	scope:	eq	version:	2.3(1)	Trust: 0.3
vendor:	cisco	model:	virtual managed services	scope:	eq	version:	2.2(9.76)	Trust: 0.3
vendor:	cisco	model:	elastic services controller	scope:	eq	version:	0	Trust: 0.3

sources: BID: 100370 // JVNDB: JVNDB-2017-007251 // CNNVD: CNNVD-201708-790 // NVD: CVE-2017-6776

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-6776
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-6776
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201708-790
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-114979
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-6776
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-114979
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-6776
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-114979 // JVNDB: JVNDB-2017-007251 // CNNVD: CNNVD-201708-790 // NVD: CVE-2017-6776

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-114979 // JVNDB: JVNDB-2017-007251 // NVD: CVE-2017-6776

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201708-790

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201708-790

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-007251

PATCH

title:	cisco-sa-20170816-esc2	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170816-esc2	Trust: 0.8
title:	Cisco Elastic Services Controller Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=74107	Trust: 0.6

sources: JVNDB: JVNDB-2017-007251 // CNNVD: CNNVD-201708-790

EXTERNAL IDS

db:	NVD	id:	CVE-2017-6776	Trust: 2.8
db:	BID	id:	100370	Trust: 1.4
db:	JVNDB	id:	JVNDB-2017-007251	Trust: 0.8
db:	CNNVD	id:	CNNVD-201708-790	Trust: 0.7
db:	NSFOCUS	id:	37456	Trust: 0.6
db:	VULHUB	id:	VHN-114979	Trust: 0.1

sources: VULHUB: VHN-114979 // BID: 100370 // JVNDB: JVNDB-2017-007251 // CNNVD: CNNVD-201708-790 // NVD: CVE-2017-6776

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20170816-esc2	Trust: 2.0
url:	http://www.securityfocus.com/bid/100370	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-6776	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-6776	Trust: 0.8
url:	http://www.nsfocus.net/vulndb/37456	Trust: 0.6
url:	http://www.cisco.com/	Trust: 0.3

sources: VULHUB: VHN-114979 // BID: 100370 // JVNDB: JVNDB-2017-007251 // CNNVD: CNNVD-201708-790 // NVD: CVE-2017-6776

CREDITS

Cisco

Trust: 0.3

sources: BID: 100370

SOURCES

db:	VULHUB	id:	VHN-114979
db:	BID	id:	100370
db:	JVNDB	id:	JVNDB-2017-007251
db:	CNNVD	id:	CNNVD-201708-790
db:	NVD	id:	CVE-2017-6776

LAST UPDATE DATE

2025-04-20T23:22:13.076000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-114979	date:	2017-08-25T00:00:00
db:	BID	id:	100370	date:	2017-08-16T00:00:00
db:	JVNDB	id:	JVNDB-2017-007251	date:	2017-09-14T00:00:00
db:	CNNVD	id:	CNNVD-201708-790	date:	2017-08-18T00:00:00
db:	NVD	id:	CVE-2017-6776	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-114979	date:	2017-08-17T00:00:00
db:	BID	id:	100370	date:	2017-08-16T00:00:00
db:	JVNDB	id:	JVNDB-2017-007251	date:	2017-09-14T00:00:00
db:	CNNVD	id:	CNNVD-201708-790	date:	2017-08-18T00:00:00
db:	NVD	id:	CVE-2017-6776	date:	2017-08-17T20:29:00.620