CVE-2017-12307

Name: CVE-2017-12307
Creator: NVD / NIST
Published: 2018-01-18T06:29:00.207+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 6.1/10EPSS 0.88%

Last modified Jun 17, 2026

CVE-2017-12307 is a medium-severity vulnerability rated 6.1/10 on the CVSS scale. A vulnerability in the web framework of Cisco Small Business Managed Switches software could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the web interface of an affected system. The vulnerability is due to insufficient input validation of parameters that are passed to the web server of the affected system. EPSS estimates a 0.88% chance of exploitation in the next 30 days.

Description

A vulnerability in the web framework of Cisco Small Business Managed Switches software could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the web interface of an affected system. The vulnerability is due to insufficient input validation of parameters that are passed to the web server of the affected system. An attacker could exploit this vulnerability by convincing a user to follow a malicious link or by intercepting and injecting code into a user request. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected web interface or allow the attacker to access sensitive browser-based information. This vulnerability affects the following Cisco Small Business 300 and 500 Series Managed Switches: Cisco Small Business 300 Series Managed Switches, Cisco Small Business 500 Series Stackable Managed Switches, Cisco 350 Series Managed Switches, Cisco 350X Series Stackable Managed Switches, Cisco 550X Series Stackable Managed Switches, Cisco ESW2 Series Advanced Switches. Cisco Bug IDs: CSCvg24637.

Metrics

CVSS 3.1

6.1/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS Probability

0.88%

54.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Cisco	Sg350-10 Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Sg350-10p Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Sg350-10mp Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Sg355-10p Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Sg350-28 Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Sg350-28p Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Sg350-28mp Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Sf350-48 Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Sf350-48p Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Sf350-48mp Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Sg350xg-2f10 Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Sg350xg-24f Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Sg350xg-24t Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Sg350xg-48t Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Sg350x-24 Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Sg350x-24p Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Sg350x-24mp Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Sg350x-48 Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Sg350x-48p Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Sg350x-48mp Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Sx550x-16ft Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Sx550x-24ft Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Sx550x-12f Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Sx550x-24f Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Sx550x-24 Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Sx550x-52 Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Sg550x-24 Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Sg550x-24p Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Sg550x-24mp Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Sg550x-24mpp Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Sg550x-48 Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Sg550x-48p Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Sg550x-48mp Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Sf550x-24 Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Sf550x-24p Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Sf550x-24mp Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Sf550x-48 Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Sf550x-48p Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Sf550x-48mp Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Esw2-350g-52 Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Esw2-350g-52dc Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Esw2-550x-48 Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Esw2-550x-48dc Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Sf302-08pp Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Sf302-08mpp Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Sg300-10pp Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Sg300-10mpp Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Sf300-24pp Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Sf300-48pp Firmware	>= 1.4.7.0, < 1.4.9.4
Cisco	Sg300-28pp Firmware	>= 1.4.7.0, < 1.4.9.4

Showing 50 of 85 affected configurations. See NVD for the full list.

References

http://www.securityfocus.com/bid/102718Third Party Advisory, VDB Entry
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180117-300-500-smb1Vendor Advisory
http://www.securityfocus.com/bid/102718Third Party Advisory, VDB Entry
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180117-300-500-smb1Vendor Advisory

Timeline

Published: Jan 18, 2018
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2017-12307?

How severe is CVE-2017-12307?

CVE-2017-12307 has a CVSS score of 6.1/10 (MEDIUM severity). The EPSS model estimates a 0.88% probability of exploitation in the next 30 days.

How do I fix CVE-2017-12307?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2017-12307?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST