Cisco Secure Access Control Server (ACS) is a centralized user access
control framework. Cisco Secure ACS offers centralized command and control for
all user authentication, authorization, and accounting (AAA pronounced "triple
A") services to network devices that function as AAA clients.
Cisco Secure ACS for UNIX LogonProxy.cgi is vulnerable to Cross Site
Scripting (XSS) attacks via both HTML GET and POST requests.
This vulnerability affects only Cisco Secure ACS for Unix.
Cisco Secure ACS for Windows and Cisco Secure ACS Solution Engine are
This vulnerability could be used to redirect the ACS administrative
users to another host which could be used to proxy login requests back to the
bona fide ACS server while harvesting administrative user credentials.
Download and apply patch for CSCsd50560, which is located on Cisco.com
Instructions for applying the patch are found at the same
The following best practices will help mitigate the risks of this
Ensure that only IP addresses of trusted administrator hosts can
access the Cisco Secure ACS server.
Prevent access to the web component of the ACS server over the