Cisco Finesse Remote File Inclusion Vulnerability Allowing Browser-Based Attacks

A remote file inclusion vulnerability has been identified in Cisco Finesse. This issue allows an unauthenticated, remote attacker to load arbitrary files from remote locations into an active user session on an affected device, potentially leading to browser-based attacks. The vulnerability arises from inadequate validation of user-supplied input in HTTP requests sent to the device. An attacker aware of the device's address could exploit this by convincing a user to click a crafted link containing that address. Successful exploitation might enable the attacker to execute arbitrary script code in the context of the affected interface or access sensitive information on the device.

Impact

Exploitation of this vulnerability could allow for remote file inclusion, leading to browser-based attacks where an attacker could execute arbitrary scripts in the context of the user's session or access sensitive information on the affected device.

Remediation

Users are advised to upgrade to Cisco Finesse version 15.0(1)SU1 or later. For versions earlier than 15.0, migrating to a fixed release is recommended.