Key Information Summary Vulnerability Overview Vulnerability Name: Cisco Integrated Management Controller Virtual Keyboard Video Monitor Shared Cross-Site Scripting Vulnerability CVE ID: CVE-2021-34756 CVSS Score: 4.8 (Medium) Release Date: 2021-09-22 Affected Products Cisco UCS Director Software Cisco UCS Manager Software Cisco UCS B-Series and C-Series Servers in Direct Managed Mode Cisco UCS E-Series Servers in Direct Managed Mode Cisco UCS C-Series Servers in Standalone Mode or Indirect Managed Mode Cisco UCS G-Series Fabric Interconnects Cisco UCS S-Series Fabric Interconnects Vulnerability Description This vulnerability exists in the Virtual Keyboard Video Monitor Shared feature of Cisco Integrated Management Controller (IMC). An unauthenticated remote attacker can exploit this vulnerability by sending a specially crafted request to the affected system, leading to the execution of arbitrary code in the user's web browser. How It Works Attackers can exploit this vulnerability to execute arbitrary code in the user's web browser, potentially gaining access to sensitive information or further compromising the affected device. Solution Cisco has acknowledged and released a fix. Users are advised to update to the following versions to resolve this vulnerability: - UCS Director Software: 6.7(1c), 6.7(1b), 6.7(1a), 6.7(1) - UCS Manager Software: 4.2(3d), 4.2(3c), 4.2(3b), 4.2(3a), 4.2(3) - UCS B-Series and C-Series Servers in Direct Managed Mode: 4.2(3d), 4.2(3c), 4.2(3b), 4.2(3a), 4.2(3) - UCS E-Series Servers in Direct Managed Mode: 4.2(3d), 4.2(3c), 4.2(3b), 4.2(3a), 4.2(3) - UCS C-Series Servers in Standalone Mode or Indirect Managed Mode: 4.2(3d), 4.2(3c), 4.2(3b), 4.2(3a), 4.2(3) - UCS G-Series Fabric Interconnects: 4.2(3d), 4.2(3c), 4.2(3b), 4.2(3a), 4.2(3) - UCS S-Series Fabric Interconnects: 4.2(3d), 4.2(3c), 4.2(3b), 4.2(3a), 4.2(3) Public Disclosure and Announcements This vulnerability was discovered during internal security testing and has been discussed on multiple public forums. ``` These key details provide an overview of the vulnerability, its scope, severity, and guidance on how to mitigate the issue.