
TL;DR
SureCloud identified two vulnerabilities in two Cisco products:
- Cisco Vision Dynamic Signage Director Unauthenticated XSS (known as CVE-2021-34742)
- Cisco Vision Digital Media Player Authenticated Path Traversal (low risk issue, no CVE assigned)
The following article aims to provide a technical overview of the identified vulnerabilities.
In-scope Components
Both devices are used in venues (airports, shops, fast food, etc.) to orchestrate digital content to hundreds of TV displays. Cisco Vision Dynamic Signage Director is the core component and Cisco Vision Digital Media Player is the endpoint device connected to the TV/Display.
Media Player:
Name: CV-DMP
Description: Cisco Vision Digital Media Player
Model: CV-HD2
Boot Version: 8.0.30
Boot Extra Version: 8.0.30
Firmware Version: 8.2.42

Dynamic Signature Director:
Description: Cisco Vision Dynamic Signage Director
Version: 6.3.0
Build: 1108

CVE-2021-34742 (Unauthenticated Reflective XSS)
The Cisco Vision Dynamic Signage Director was found to be susceptible to an instance of reflective Cross-Site Scripting (XSS) exploitable from an unauthenticated perspective. Cross-Site-Scripting (XSS) is caused when an application echoes user controllable input data back to the browser without first sanitizing or escaping dangerous characters.
Vulnerable page: /CiscoVision/login.html
Vulnerable parameter: timeout
PoC URL: https://target_ip/CiscoVision/login.html?login_error=3&timeout=000%3Cscript%3Ealert(document.cookie);%3C/script%3E

Additional information is available at: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cvdsd-xss-fvdj6HK
Authenticated Path Traversal
The Cisco Vision Digital Media Player was found to be susceptible to Path Traversal vulnerability, exploitable from an authenticated perspective. This issue happens when the application accepts input that is used as part of a filesystem operation. This input is not correctly validated, and a malicious user can enter the specified characters to cause the system to operate outside of the intended filesystem location. The vulnerable pages give access to the filesystem present in the MicroSD card by default, however, this can be overwritten to list or download any file within the root filesystem by simply using the following:
Vulnerable pages: /storage.html, /save
Vulnerable parameter: rp
List Content of /etc/ PoC request : http://target_ip/storage.html?rp=//etc
Download /etc/passwd file PoC request : http://target_ip/save?rp=//etc/passwd


Cisco PSIRT categorized this issue as low risk, and therefore a CVE was not assigned. Additional details are available at: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvy84947
Disclosure Timeline:
27/05/2021: Bugs identified
29/05/2021: Technical documentation delivered to Cisco PSIRT
01/07/2021: Acknowledgment of internal triage
05/08/2021: Vendor request to postpone the disclosure
08/10/2021: Cisco released the public advisories
13/10/2021: This blog post published