Cisco Unified Contact Center Management Portal up to 12.6(1)_ES13 Web-based Management Interface cross site scripting

Summaryinfo

A vulnerability was found in Cisco Unified Contact Center Management Portal. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component Web-based Management Interface. The manipulation results in cross site scripting. This vulnerability was named CVE-2024-20540. The attack may be performed from remote. There is no available exploit. It is recommended to upgrade the affected component.

Detailsinfo

A vulnerability classified as problematic has been found in Cisco Unified Contact Center Management Portal. Affected is some unknown processing of the component Web-based Management Interface. The manipulation with an unknown input leads to a cross site scripting vulnerability. CWE is classifying the issue as CWE-79. The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. This is going to have an impact on integrity. CVE summarizes:

A vulnerability in the web-based management interface of Cisco Unified Contact Center Management Portal (Unified CCMP) could allow an authenticated, remote attacker with low privileges to conduct a stored cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by injecting malicious code into a specific page of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information. To exploit this vulnerability, the attacker must have at least a Supervisor role on an affected device.

The advisory is available at sec.cloudapps.cisco.com. This vulnerability is traded as CVE-2024-20540 since 11/08/2023. The exploitability is told to be easy. It is possible to launch the attack remotely. Successful exploitation requires user interaction by the victim. The technical details are unknown and an exploit is not available. This vulnerability is assigned to T1059.007 by the MITRE ATT&CK project.

Upgrading eliminates this vulnerability.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Vendor

• Cisco

Name

• Unified Contact Center Management Portal

Version

• 10.5(1)
• 10.5(1)ES1
• 10.5(1)ES2
• 10.5(1)ES3
• 10.5(1)ES4
• 10.5(1)ES5
• 10.5(1)ES6
• 10.5(1)ES7
• 10.5(1)ES8
• 10.5(1)ES9
• 10.5(1)ES10
• 10.5(1)ES11
• 10.5(1)ES12
• 10.5(1)ES13
• 11.0(1)
• 11.0(1)ES1
• 11.0(1)ES2
• 11.0(1)ES3
• 11.5(1)
• 11.5(1)ES1
• 11.5(1)ES2
• 11.5(1)ES3
• 11.5(1)ES4
• 11.5(1)ES5
• 11.5(1)ES6
• 11.5(1)ES7
• 11.5(1)ES8
• 11.5(1)ES9
• 11.6(1)
• 11.6(1)ES1
• 11.6(1)ES2
• 11.6(1)_ES3
• 11.6(1)_ES4
• 11.6(1)_ES5
• 11.6(1)_ES6
• 11.6(1)_ES7
• 11.6(1)_ES9
• 11.6(1)_ES10
• 11.6(1)_ES11
• 11.6(1)_ES12
• 11.6(1)_ES13
• 11.6(1)_ES14
• 11.6(1)_ES15
• 11.6(1)_ES16
• 11.6(1)_ES17
• 12.0(1)
• 12.0(1)_ES1
• 12.0(1)_ES2
• 12.0(1)_ES3
• 12.0(1)_ES4
• 12.0(1)_ES5
• 12.5(1)
• 12.5(1)_ES1
• 12.5(1)_ES2
• 12.5(1)_ES3
• 12.5(1)_ES4
• 12.5(1)_ES5
• 12.5(1)_ES6
• 12.5(1)_ES7
• 12.5(1)_ES8
• 12.5(1)_ES9
• 12.5(1)_ES10
• 12.5(1)_ES11
• 12.5(1)_ES12
• 12.6(1)
• 12.6(1)_ES1
• 12.6(1)_ES2
• 12.6(1)_ES3
• 12.6(1)_ES4
• 12.6(1)_ES5
• 12.6(1)_ES6
• 12.6(1)_ES7
• 12.6(1)_ES8
• 12.6(1)_ES9
• 12.6(1)_ES10
• 12.6(1)_ES11
• 12.6(1)_ES12
• 12.6(1)_ES13

License

• commercial

Website

• Vendor: https://www.cisco.com/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Discussion