XSS Bug in Cisco’s Social Miner

Hello everybody!

Cisco just reported a kind of embarrassing bug in its SocialMiner 10.0(1) product- its WeChat page is open to cross-site scripting. It means if a support staff accidentally clicks on a malicious link without paying attention to what they receive, they could get tricked.

SocialMiner is yet-another “brand management for social media” application. Basically if it sees an unfavourable comment or call for help about a brand on a social network, the software will send an alert to the organisation to respond. Preferably before anything looks like going viral.

The flaw has not been fixed yet, neither have they suggested a workaround. But it’s CVSS score of 4.3 is relatively low

This is probably going to have a heavy effect on China where WeChat has about half a billion users under its “Weixin” brand, and in addition to its Twitter-like micro-messaging, the app is used for payments, video-messaging, taxi bookings and other things.

Cisco’s advisory states: “The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by convincing the user of the affected device to follow a malicious link or visit an attacker-controlled website.

“An exploit could allow the attacker to submit arbitrary requests to the affected device via the affected web browser with the privileges of the user.”

Check out Cisco’s advisory: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151103-csm


Source: Akati

Comments are closed.