CVE-2012-3047

Description

Cross-site scripting (XSS) vulnerability in the web-wizard setup page on Cisco Scientific Atlanta D20 and D30 cable modems allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Affected (37)

Cisco

37 products

Scientific Atlanta Dpc/epc2100

Scientific Atlanta Dpc/epc2202

Scientific Atlanta Dpc/epc2203

Scientific Atlanta Dpc/epc2325

Scientific Atlanta Dpc/epc2425

Scientific Atlanta Dpc/epc2434

Scientific Atlanta Dpc/epc2505

Scientific Atlanta Dpc/epc3010

Scientific Atlanta Dpc/epc3212

Scientific Atlanta Dpc/epc 3208

Scientific Atlanta Dpc2420

Scientific Atlanta Dpc3000/epc3000

Scientific Atlanta Dpc3008/epc3008

Scientific Atlanta Dpc3825

Scientific Atlanta Dpc3925

Scientific Atlanta Dpq/epq2160

Scientific Atlanta Dpq2202

Scientific Atlanta Dpq2425

Scientific Atlanta Dpq3212

Scientific Atlanta Dpq3925

Scientific Atlanta Dpr362

Scientific Atlanta Dpw700

Scientific Atlanta Dpw730

Scientific Atlanta Dpw939

Scientific Atlanta Dpw941

Scientific Atlanta Dpx/epx2100

Scientific Atlanta Dpx/epx2203

Scientific Atlanta Dpx/epx2203c

Scientific Atlanta Dpx100/120

Scientific Atlanta Dpx110

Scientific Atlanta Dpx130

Scientific Atlanta Dpx213

Scientific Atlanta Dpx2213

Scientific Atlanta Epc2420

Scientific Atlanta Epc3825

Scientific Atlanta Epc3925

Scientific Atlanta Wag310g

Configuration A

37 vulnerable

Vulnerable Software	Affected Versions
Cisco Scientific Atlanta Dpc/epc2100	All versions
Cisco Scientific Atlanta Dpc/epc2202	All versions
Cisco Scientific Atlanta Dpc/epc2203	All versions
Cisco Scientific Atlanta Dpc/epc2325	All versions
Cisco Scientific Atlanta Dpc/epc2425	All versions
Cisco Scientific Atlanta Dpc/epc2434	All versions
Cisco Scientific Atlanta Dpc/epc2505	All versions
Cisco Scientific Atlanta Dpc/epc3010	All versions
Cisco Scientific Atlanta Dpc/epc3212	All versions
Cisco Scientific Atlanta Dpc/epc 3208	All versions
Cisco Scientific Atlanta Dpc2420	All versions
Cisco Scientific Atlanta Dpc3000/epc3000	All versions
Cisco Scientific Atlanta Dpc3008/epc3008	All versions
Cisco Scientific Atlanta Dpc3825	All versions
Cisco Scientific Atlanta Dpc3925	All versions
Cisco Scientific Atlanta Dpq/epq2160	All versions
Cisco Scientific Atlanta Dpq2202	All versions
Cisco Scientific Atlanta Dpq2425	All versions
Cisco Scientific Atlanta Dpq3212	All versions
Cisco Scientific Atlanta Dpq3925	All versions
Cisco Scientific Atlanta Dpr362	All versions
Cisco Scientific Atlanta Dpw700	All versions
Cisco Scientific Atlanta Dpw730	All versions
Cisco Scientific Atlanta Dpw939	All versions
Cisco Scientific Atlanta Dpw941	All versions
Cisco Scientific Atlanta Dpx/epx2100	All versions
Cisco Scientific Atlanta Dpx/epx2203	All versions
Cisco Scientific Atlanta Dpx/epx2203c	All versions
Cisco Scientific Atlanta Dpx100/120	All versions
Cisco Scientific Atlanta Dpx110	All versions
Cisco Scientific Atlanta Dpx130	All versions
Cisco Scientific Atlanta Dpx213	All versions
Cisco Scientific Atlanta Dpx2213	All versions
Cisco Scientific Atlanta Epc2420	All versions
Cisco Scientific Atlanta Epc3825	All versions
Cisco Scientific Atlanta Epc3925	All versions
Cisco Scientific Atlanta Wag310g	All versions

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

http://tools.cisco.com/security/center/viewAlert.x?alertId=26036

Source: psirt@cisco.com

Vendor Advisory