Cisco UCS Central Software is prone to a cross-site scripting vulnerability and a session-fixation vulnerability.
An attacker may leverage these issues to hijack an arbitrary session and gain unauthorized access to the affected application or to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
These issues are being tracked by Cisco Bug ID CSCvf71978 and CSCvf71986.
Information
CVE-2017-12349
Exploit
Attackers can exploit these issues by enticing an unsuspecting victim to follow a malicious URI.