Cisco Digital Network Architecture Center 1.3.1.4 - Persistent Cross-Site Scripting

vendor:

Cisco Digital Network Architecture Center

by:

Dylan Garnaud & Benoit Malaboeuf

4.8

CVSS

MEDIUM

Persistent Cross-Site Scripting

CWE

Product Name: Cisco Digital Network Architecture Center

Affected Version From: Cisco DNA before 1.3.0.6

Affected Version To: 1.3.1.4

Patch Exists: YES

Related CWE: CVE-2019-15253

CPE: a:cisco_systems:digital_network_architecture_center

Metasploit:

Other Scripts:

Platforms Tested: Tested on version 1.3.0.2

2020

Cisco Digital Network Architecture Center 1.3.1.4 – Persistent Cross-Site Scripting

The vulnerability exists in the Network Hierarchy and User Management features of Cisco Digital Network Architecture Center. The Floor Name parameter in the Network Hierarchy and the First Name and Last Name parameters in User Management are vulnerable to persistent cross-site scripting (XSS) attacks. An attacker can inject malicious scripts into these fields, which will be executed when viewed by other users with sufficient privileges. The lack of input validation and filtering allows special characters to be included in the fields without any security mechanism. The vulnerability requires admin or customer account privileges in the Network Hierarchy and admin account privileges in User Management. The affected fields are located in Design -> Network Hierarchy -> Building -> Floor -> Field: 'Floor name' and Settings -> Users -> User Management -> Fields: 'First Name' or 'Last Name'.

Mitigation:

To mitigate this vulnerability, it is recommended to apply the necessary patches provided by Cisco. Additionally, users should ensure that they have strong account privileges and limit access to the affected features only to trusted users.

Source

Exploit-DB raw data:

# Exploit Title: Cisco Digital Network Architecture Center 1.3.1.4 - Persistent Cross-Site Scripting 
# Date: 2020-04-16
# Exploit Author: Dylan Garnaud & Benoit Malaboeuf - Pentesters from Orange Cyberdefense France
# Vendor Homepage: https://www.cisco.com/c/en/us/products/cloud-systems-management/dna-center/index.html
# Version: Cisco DNA before 1.3.0.6 and 1.3.1.4
# Tested on: 1.3.0.2
# CVE : CVE-2019-15253
# Security advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190205-dnac-xss


## 1 - Network Hierarchy
- Vulnerable parameter: Floor Name.
- Payload: ```<script>alert('XSS')</script>```  
- Details: There is no control or security mechanism on this field. Specials characters are not encoded or filtered.
- Privileges: It requires admin or customer account.
- Location: Design -> Network Hirearchy -> Building -> Floor -> Field: "Floor name" .


## 2 - User Management
- Vulnerable parameters: First Name, Last Name .
- Payload: ```<script>alert('XSS')</script>```  
- Details: There is no control or security mechanism on this field. Specials characters are not encoded or filtered.
- Privileges: It requires admin account.
- Location: Settings -> Users -> User Management -> Fields: "First Name" or "Last Name".