ESB-2018.0683 - [Cisco] Cisco Registered Envelope Service: Cross-site scripting - Remote with user interaction - 2018-03-08


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0683
   Cisco Registered Envelope Service Cross-Site Scripting Vulnerability
                               8 March 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco Registered Envelope Service
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Cross-site Scripting -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-0208  

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180307-res

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco Security Advisory
Cisco Registered Envelope Service Cross-Site Scripting Vulnerability

Medium

Advisory ID:
cisco-sa-20180307-res

First Published:
2018 March 7 16:00 GMT

Version 1.0:
Final

Workarounds:

No workarounds available

Cisco Bug IDs:
CSCvg74126
CVE-2018-0208
CWE-79

CVSS Score:
Base 5.4
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:X/RL:X/RC:X
CVE-2018-0208
CWE-79

Summary

A vulnerability in the web-based management interface of the Cisco Registered
Envelope Service could allow an authenticated, remote attacker to conduct a
cross-site scripting (XSS) attack against a user of the web-based management
interface of the affected service.
The vulnerability is due to insufficient validation of user-supplied input
that is processed by the web-based management interface of the affected
service. An attacker could exploit this vulnerability by persuading a user of
the interface to click a malicious link. A successful exploit could allow the
attacker to execute arbitrary script code in the context of the interface or
access sensitive browser-based information.
There are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180307-res

Affected Products

Vulnerable Products

This vulnerability affects the Cisco Registered Envelope Service, which is
cloud based.
For information about affected software releases, consult the Cisco bug ID(s)
at the top of this advisory.

Products Confirmed Not Vulnerable

No other Cisco products are currently known to be affected by this
vulnerability.

Details

The Cisco Registered Envelope Service is a highly advanced, cloud-based,
encryption-key service. Whether you need to meet compliance requirements,
safeguard communications, or protect intellectual property, this flexible and
scalable service supports your messaging requirements without your having to
invest in additional infrastructure.

Workarounds

There are no workarounds that address this vulnerability.

Fixed Software

At the time of publication, fixed software had been provided to the Cisco
Registered Envelope Service for this vulnerability. For the latest and most
detailed information about fixed software releases, consult the Cisco bug
ID(s) at the top of this advisory.

Exploitation and Public Announcements

The Cisco Product Security Incident Response Team (PSIRT) is not aware of any
public announcements or malicious use of the vulnerability that is described
in this advisory.

Source

Cisco would like to thank security researcher Rahul Raj from Hindustan
University for reporting this vulnerability.

Cisco Security Vulnerability Policy

To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy. This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.

URL

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180307-res

Revision History

Version	Description		Section	Status	Date
1.0	Initial public release.		Final	2018-March-07

Legal Disclaimer

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF
GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS
FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS
LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO
CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the
distribution URL is an uncontrolled copy and may lack important information or
contain factual errors. The information in this document is intended for end
users of Cisco products.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWqDQkox+lLeg9Ub1AQi6SxAAoTH/Ux0vg8tgqI2W8hf9dDI+twlxHcuN
fR0VIrpevu9KhO3BKQgAxgsllluckamsv0jrNF49Fs5lxIIhhG7OEWAm4yw1nQ9R
mNUr7UBLkbbY87oekGjyqodY2HVrlZ9qIOuTejUcI8BXvdzDuQTbvx5so653tqaR
Sh+OzfGvl2Y2aih1q4cFnSs40/s2BZSgNQJZLqXLmMEL+b+M5zj5YoHOGpzPwdUn
MdmFWdFzsmhAuajDJKDXKA4XnlD4k1bGucAYRmwHFxawffwZ351LQSoBtJzkb6ow
/WUX/d0U/qVn/ow3Y8DUPhLT9IUMV7FNiYfWMJJnRAHtLuoQnkJwl3IZ2R95axy7
p7fKC1MHCt9zW7wpsxyAWFKG2jiHiv096sptcMjhI1QdtTd+o1Lncas7DxGwk7eO
qNsqsAosV+DpTpv6NF7HWBaTqHOk/rZ7WKuhz3ETpNYYXmyPgQfwGc3LiNVVjmqJ
bknDn7gLYmWZ7WePq+1Bz4p4/aCHVRMnD+MbT0K0MCP88a5jKNINHy4VF5Mb9n6q
wHxAokWkJcl/rk7yFjjIFIitUJOQxCwwbT1mREfIEUWyvxDZk1BG/3FP7Gr52WMN
zJqT97xe/9kgApYa6E4EC33kmANAmVf5qm3MgSAd89XnaumeP9sxVC4yRu193pYa
K370vrcHUXw=
=dH82
-----END PGP SIGNATURE-----