Cisco Unity Connection Reflected XSS Vulnerability (cisco-sa-20170906-cuc)

medium Nessus Plugin ID 103112

Synopsis

The version of Cisco Unity Connection on the remote host is affected by a relfected cross-site scripting vulnerability.

Description

Cisco Unity Connection 10.5(2) with a default configuration allows remote attackers to conduct a reflected cross-site scripting (XSS) attack against the user of the web interface by submitting invalid input parameters via HTTP GET or POST.

Solution

Upgrade Cisco Unity Connection per the vendor advisory CSCvf25345.

See Also

http://www.nessus.org/u?86fa5dd5

Plugin Details

Severity: Medium

ID: 103112

File Name: cisco_uc_10_5_2.nasl

Version: 1.4

Type: local

Family: CISCO

Published: 9/11/2017

Updated: 11/12/2019

Risk Information

VPR

Risk Factor: Low

Score: 3

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Temporal Vector: E:U/RL:OF/RC:C

CVSS Score Source: CVE-2017-12212

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:cisco:unity_connection

Required KB Items: Host/Cisco/Unity_Connection/Version

Exploit Ease: No known exploits are available

Patch Publication Date: 9/6/2017

Vulnerability Publication Date: 9/6/2017

Reference Information

CVE: CVE-2017-12212

CISCO-BUG-ID: CSCvf25345

CISCO-SA: cisco-sa-20170906-cuc