CVE-2024-20274 Information

Description

A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software formerly Firepower Management Center Software could allow an authenticated remote attacker to inject arbitrary HTML content into a device-generated document.

This vulnerability is due to improper validation of user-supplied data. An attacker could exploit this vulnerability by submitting malicious content to an affected device and using the device to generate a document that contains sensitive information. A successful exploit could allow the attacker to alter the standard layout of the device-generated documents access arbitrary files from the underlying operating system and conduct server-side request forgery (SSRF) attacks. To successfully exploit this vulnerability an attacker would need valid credentials for a user account with policy-editing permissions such as Network Admin Intrusion Admin or any custom user role with the same capabilities.

Reference

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-html-inj-nfJeYHxz https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-xss-M446vbEO https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-75300