Cisco has alerted its customers that it is working on a patch for a vulnerability found in its Prime Collaboration Deployment product by a member of NATO’s Cyber Security Centre (NCSC).
The product, designed to assist in the management of Unified Communications (UC) applications, has been identified as vulnerable to cross-site scripting (XSS), affecting the product’s web-based management interface.
Additio0nally, Cisco has explained that an attacker could exploit this vulnerability by persuading a user of the interface to click on a crafted link, allowing the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
Cisco said there is no evidence of exploitation of the vulnerability in the wild. However, vulnerabilities in the company’s products have been targeted in previous attacks. The company has not stated when it expects a patch to become available, nor are there any workarounds to address the vulnerability.
The vulnerability was reported by Pierre Vivegnis, a penetration tester and security researcher at NATO, and Cisco has given him credit for it.
At the same time, government agencies are now responsible for disclosing vulnerabilities they discover to vendors. In the past year, the NSA has reported multiple vulnerabilities to Cisco, and the UK’s National Cyber Security Centre (NCSC) has recently been credited with identifying flaws in industrial products.
However, governments are known to stockpile vulnerabilities and exploits for use in their cyber operations.
