Cisco Unified Contact Center Express 10.0(1) Cross Site Scripting Vulnerability
6 Jan. 2017
Cross-site scripting (XSS) vulnerability in Cisco Unified Intelligence Center (CUIC) 8.5.4 through 9.1(1), as used in Unified Contact Center Express 10.0(1) through 11.0(1), allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug IDs CSCuy75020 and CSCuy81652.
* Cisco Unified Contact Center Express 10.0(1)
* Cisco Unified Contact Center Express 10.5(1)
* Cisco Unified Contact Center Express 10.6(1)
* Cisco Unified Contact Center Express 11.0(1)
* Cisco Unified Intelligence Center 8.5.4
* Cisco Unified Intelligence Center 9.0(2)
* Cisco Unified Intelligence Center 9.1(1)
A vulnerability in the HTTP web-based management interface of Cisco Unified Intelligence Center (CUIC) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface of the affected system.
The vulnerability is due to insufficient input validation of a user-supplied value. An attacker could exploit this vulnerability by convincing a user to click a specific link. A successful exploit could allow the attacker to submit arbitrary requests to the affected system via a web browser with the privileges of the user.