Detections
Analytics

Cisco Unity Connection Web Framework Cross-Site Scripting Vulnerability

medium Nessus Plugin ID 130016

Language:

Synopsis

The remote host is missing a vendor-supplied security patch.

Description

A vulnerability in the web framework of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web interface of an affected system. The vulnerability is due to insufficient input validation of certain parameters that are passed to the affected software via the HTTP GET and HTTP POST methods. An attacker who can convince a user to follow an attacker-supplied link could execute arbitrary script or HTML code in the user's browser in the context of an affected site.

Solution

Apply the patch or upgrade to the version recommended in Cisco bug ID CSCvf76417

See Also

http://www.nessus.org/u?2aa06cef

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf76417

Plugin Details

Severity: Medium

ID: 130016

File Name: cisco-sa-20180606-cuc-xss.nasl

Version: 1.2

Type: local

Family: CISCO

Published: 10/18/2019

Updated: 10/18/2019

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.0

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2018-0354

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:cisco:unity_connection

Required KB Items: Settings/ParanoidReport, installed_sw/Cisco VOSS Unity

Exploit Ease: No known exploits are available

Patch Publication Date: 6/6/2016

Vulnerability Publication Date: 6/6/2016

Reference Information

CVE: CVE-2018-0354

BID: 104426

CWE: 79

CISCO-SA: cisco-sa-20160203-uc

CISCO-BUG-ID: CSCvf76417