Cisco Unified Communications Manager Stored Cross-Site Scripting Vulnerability
TL;DR 📌
A stored cross-site scripting (XSS) vulnerability has been identified in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME). This vulnerability allows an authenticated remote attacker to execute arbitrary script code, potentially accessing sensitive information. Cisco has released fixed software updates, but no workarounds are available.
What happened 🕵️♂️
A vulnerability in the web-based management interface of Cisco Unified Communications Manager could allow an authenticated attacker to conduct a cross-site scripting (XSS) attack. This occurs because the interface fails to properly validate user input, enabling the injection of malicious code. Successful exploitation could lead to the execution of arbitrary scripts in the context of the affected interface, compromising sensitive, browser-based information.
Affected products 🖥️
The following products are affected by this vulnerability:
- Cisco Unified Communications Manager (Unified CM)
- Cisco Unified Communications Manager Session Management Edition (Unified CM SME)
Fixed software 🔧
Upgrade to the first fixed release in your train (or later):
| Release / Product | First Fixed Release | Notes |
|---|---|---|
| 12.5 | Migrate to a fixed release. | |
| 14 | Migrate to a fixed release. | |
| 15 | 15SU3 | |
| 1.0 | Initial public release. | |
| Cisco Unified CM and Unified CM SME | 15SU3 | 12.5, 14 |
Workarounds 🧯
There are no workarounds available for this vulnerability.
Risk in context 🎯
With a CVSS score of 4.8, this vulnerability is rated as Medium severity. The risk is primarily driven by the need for valid administrative credentials for exploitation, which limits exposure to authenticated users. However, the potential for sensitive information access remains a concern, especially in environments where administrative access is prevalent.
Fast facts ⚡
- Vulnerability Type: Stored Cross-Site Scripting (XSS)
- CVSS Score: 4.8 (Medium)
- Exploitation: Requires valid administrative credentials
- Workarounds: None available
- Fixed Software: Available for specified versions
For leadership 🧭
This vulnerability presents a Medium risk to our organization, as it requires authenticated access to exploit. The exposure is limited to users with administrative credentials, but successful exploitation could lead to unauthorized access to sensitive information. Immediate remediation is necessary, with a recommendation to patch within 7 days, as fixed software is available.
Operational impact is minimal, requiring a brief maintenance window with no expected configuration drift.
Now: Review affected systems and prepare for patching.
Next: Schedule and implement the software upgrades.
Later: Monitor for any unusual activity or signs of exploitation.