XSS vuln found in Cisco's social support software

Mining social media to protect your brand is a great idea, unless the tool you use becomes an attack vector.

That's the slightly embarrassing bug Cisco's just reported in its SocialMiner 10.0(1) product: its WeChat page is open to cross-site scripting.

It means some unfortunate support staffer who's not paying close attention to what they're receiving could get tricked into clicking a malicious link.

SocialMiner is yet-another “brand management for social media” application – in other words, if Foobar Inc sees unfavourable mentions or a call for help on a social network, the software will tell someone to respond. Preferably before anything looks like going viral.

Cisco's advisory states: “The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by convincing the user of the affected device to follow a malicious link or visit an attacker-controlled website.

"An exploit could allow the attacker to submit arbitrary requests to the affected device via the affected web browser with the privileges of the user.”

While it only has a relatively low CVSS score of 4.3, there's no fix as yet, nor are there workarounds.

However, it's probably not a wonderful look in China, where WeChat has about half a billion users under its “Weixin” brand, and in addition to its Twitter-like micro-messaging, the app is used for payments, video-messaging, taxi bookings and other things. ®