Cisco ASA is prone to a cross-site scripting vulnerability. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to steal cookie-based authentication credentials. Cisco ASA software versions 8.0.4(2B) and prior running on ASA 5500 Series Adaptive Security Appliances are vulnerable.

Zloss has reported some vulnerabilities in Cisco IOS, which can be exploited by malicious people to conduct cross-site scripting and cross-site request forgery attacks. Input passed via the URL when executing commands is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site. The device allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to potentially alter the configuration of the device by tricking the user [...]

Cisco Router HTTP Administration CSRF Remote Command Execution Universal Exploit. Replace “10.10.10.1″ with the IP address of the target router, embed this in a web page and hope for the best. This is only for test use.

Cisco routers with the HTTP administration interface enabled are vulnerable to an CSRF (Cross-Site Request Forgery) vulnerability that can yield remote command execution with level 15 privileges. An attacker can execute ANY command on the router with level 15 (root, same as enable) privileges (usually level 15 user by default) by getting a target user (administrator or etc) to view a web page that has the exploit embedded. The exploits can be modified to, on loading of the page with the exploits embedded, to execute both exec and configure commands on the Cisco router. These exploits have been tested on [...]