Cisco Unified Communications Manager and Session Management Edition Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the web-based management interface of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME). This vulnerability allows an authenticated, remote attacker to inject malicious scripts into specific pages of the interface. The web management interface's failure to properly validate user input enables this exploitation. A successful attack could execute arbitrary scripts in the context of the user's session or access sensitive browser-based information. Exploitation requires valid administrative credentials.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user interface.

Remediation

Cisco has released software updates to address this vulnerability. Users are advised to upgrade to the fixed releases mentioned in the advisory. For guidance on obtaining the fixed software, refer to the Cisco Support and Downloads page or contact the Cisco Technical Assistance Center (TAC).