CVE-2021-1380
Published on: 04/08/2021 12:00:00 AM UTC
Last Modified on: 04/13/2021 05:55:00 PM UTC
CVE-2021-1380 - advisory for cisco-sa-cucm-xss-Q4PZcNzJ
Source: Mitre Source: NIST CVE.ORG Print: PDF
Certain versions of Unified Communications Manager from Cisco contain the following vulnerability:
Multiple vulnerabilities in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against an interface user. These vulnerabilities exist because the web-based management interface does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by persuading an interface user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information.
- CVE-2021-1380 has been assigned by
[email protected] to track the vulnerability - currently rated as MEDIUM severity.
- The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.
- Affected Vendor/Software:
Cisco - Cisco Unity Connection version n/a
CVSS3 Score: 6.1 - MEDIUM
Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
---|---|---|---|
NETWORK | LOW | NONE | REQUIRED |
Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
CHANGED | LOW | LOW | NONE |
CVSS2 Score: 4.3 - MEDIUM
Access Vector ⓘ |
Access Complexity |
Authentication |
---|---|---|
NETWORK | MEDIUM | NONE |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
NONE | PARTIAL | NONE |
CVE References
Description | Tags ⓘ | Link |
---|---|---|
Cisco Unified Communications Products Cross-Site Scripting Vulnerabilities | tools.cisco.com text/html |
![]() |
Related QID Numbers
Known Affected Configurations (CPE V2.3)
Type | Vendor | Product | Version | Update | Edition | Language |
---|---|---|---|---|---|---|
Application | Cisco | Unified Communications Manager | All | All | All | All |
Application | Cisco | Unified Communications Manager | All | All | All | All |
Application | Cisco | Unified Communications Manager Im Presence Service | All | All | All | All |
Application | Cisco | Unified Communications Manager Im Presence Service | All | All | All | All |
Application | Cisco | Unity Connection | All | All | All | All |
- cpe:2.3:a:cisco:unified_communications_manager:*:*:*:*:*:*:*:*:
- cpe:2.3:a:cisco:unified_communications_manager:*:*:*:*:session_management:*:*:*:
- cpe:2.3:a:cisco:unified_communications_manager_im_&_presence_service:*:*:*:*:*:*:*:*:
- cpe:2.3:a:cisco:unified_communications_manager_im_\&_presence_service:*:*:*:*:*:*:*:*:
- cpe:2.3:a:cisco:unity_connection:*:*:*:*:*:*:*:*:
Social Mentions
Source | Title | Posted (UTC) |
---|---|---|
![]() |
CVE-2021-1380 : Multiple vulnerabilities in the web-based management interface of Cisco Unified Communications Mana… twitter.com/i/web/status/1… | 2021-04-08 04:17:27 |