Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition (SME) Improper Neutralization of Input During Web Page Generation (XSS Scripting) Vulnerability

Summary

A vulnerability in the web-based interface of Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition (SME) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface of the affected software.

Credit:

The information has been provided by Vendor.

The original article can be found at: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191002-cucm-xss-12715


Details

The vulnerability is due to insufficient validation of user-supplied input by the web-based interface of the affected software. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information.

Vulnerable Systems:

Cisco Unified Communications Manager and Cisco Unified Communications Manager SM 10.5(2) and earlier

Cisco Unified Communications Manager and Cisco Unified Communications Manager SM 11.5(1)SU5 and earlier

Cisco Unified Communications Manager and Cisco Unified Communications Manager SM 12.0(1)SU2 and earlier

Cisco Unified Communications Manager and Cisco Unified Communications Manager SM 12.5(1) and earlier

CVE Information:

CVE-2019-12715

Disclosure Timeline:

Published Date:10/02/2019