XSS vuln found in Cisco’s social support software

Posted on

SocialMiner doesn’t play nice with China’s popular WeChat.

Mining social media to protect your brand is a great idea, unless the tool you use becomes an attack vector.

That’s the slightly embarrassing bug Cisco’s just reported in its SocialMiner 10.0(1) product: its WeChat page is open to cross-site scripting.

It means some unfortunate support staffer who’s not paying close attention to what they’re receiving could get tricked into clicking a malicious link.

XSS vuln found in Cisco's social support software

SocialMiner is yet-another “brand management for social media” application – in other words, if Foobar Inc sees unfavourable mentions or a call for help on a social network, the software will tell someone to respond. Preferably before anything looks like going viral.

Cisco’s advisory states: “The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by convincing the user of the affected device to follow a malicious link or visit an attacker-controlled website.

“An exploit could allow the attacker to submit arbitrary requests to the affected device via the affected web browser with the privileges of the user.”

While it only has a relatively low CVSS score of 4.3, there’s no fix as yet, nor are there workarounds.

However, it’s probably not a wonderful look in China, where WeChat has about half a billion users under its “Weixin” brand, and in addition to its Twitter-like micro-messaging, the app is used for payments, video-messaging, taxi bookings and other things.

Source:http://www.theregister.co.uk/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s