A vulnerability in the web-based interface of multiple Cisco Unified Communications products could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface of the affected software. The vulnerability is due to insufficient validation of user-supplied input by the web-based interface of the affected software. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information.

Published : 2019-10-02 19:15 Updated : 2019-10-11 18:46

CVSS Score More info
Score 4.3 / 10
Vendor Product Version URI
Cisco Unified Communications Manager 10.5%282.10000.5%29 cpe:/a:cisco:unified_communications_manager:10.5%282.10000.5%29
Cisco Unified Communications Manager 11.5%281.10000.6%29 cpe:/a:cisco:unified_communications_manager:11.5%281.10000.6%29
Cisco Unified Communications Manager 12.0%281.10000.10%29 cpe:/a:cisco:unified_communications_manager:12.0%281.10000.10%29
Cisco Unified Communications Manager 12.5%281.10000.22%29 cpe:/a:cisco:unified_communications_manager:12.5%281.10000.22%29
Cisco Unified Communications Manager Im And Presence Service 14.0%281%29 cpe:/a:cisco:unified_communications_manager_im_and_presence_service:14.0%281%29
Cisco Unity Connection 11.5 cpe:/a:cisco:unity_connection:11.5
Cisco Unity Connection 12.0 cpe:/a:cisco:unity_connection:12.0
Cisco Unity Connection 12.5 cpe:/a:cisco:unity_connection:12.5
  1. Cisco (3) Search CVE
    1. Unified Communications Manager Im And Presence Service (1) Search CVE
      1. 14.0%281%29
    2. Unified Communications Manager (4) Search CVE
      1. 10.5%282.10000.5%29
      2. 11.5%281.10000.6%29
      3. 12.0%281.10000.10%29
      4. 12.5%281.10000.22%29
    3. Unity Connection (3) Search CVE
      1. 11.5
      2. 12.0
      3. 12.5


ID Name Description Links
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. CVE

History of changes

Date Event
2019-10-11 18:46
2019-10-02 19:17