CVE-2021-1408

Published on: 04/08/2021 12:00:00 AM UTC

Last Modified on: 04/16/2021 08:31:00 PM UTC

CVE-2021-1408 - advisory for cisco-sa-cucm-xss-Q4PZcNzJ

Source: Mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Certain versions of Unified Communications Manager from Cisco contain the following vulnerability:

Multiple vulnerabilities in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against an interface user. These vulnerabilities exist because the web-based management interface does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by persuading an interface user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information.

  • CVE-2021-1408 has been assigned by [email protected] to track the vulnerability - currently rated as MEDIUM severity.
  • The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.
  • Affected Vendor/Software: Cisco - Cisco Unity Connection version n/a

CVSS3 Score: 6.1 - MEDIUM

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK LOW NONE REQUIRED
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
CHANGED LOW LOW NONE

CVSS2 Score: 4.3 - MEDIUM

Access
Vector
Access
Complexity
Authentication
NETWORK MEDIUM NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
NONE PARTIAL NONE

CVE References

Description Tags Link
Cisco Unified Communications Products Cross-Site Scripting Vulnerabilities tools.cisco.com
text/html
URL Logo CISCO 20210407 Cisco Unified Communications Products Cross-Site Scripting Vulnerabilities

Related QID Numbers

  • 316928 Cisco Unified Communications Products Cross-Site Scripting Vulnerabilities(cisco-sa-cucm-xss-Q4PZcNzJ)
  • 316943 Cisco Unified Communications Manager IM and Presence Service Cross-Site Scripting Vulnerabilities(cisco-sa-cucm-xss-Q4PZcNzJ)

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationCiscoUnified Communications ManagerAllAllAllAll
ApplicationCiscoUnified Communications ManagerAllAllAllAll
  • cpe:2.3:a:cisco:unified_communications_manager:*:*:*:*:*:*:*:*:
  • cpe:2.3:a:cisco:unified_communications_manager:*:*:*:*:session_management:*:*:*:

Social Mentions

Source Title Posted (UTC)
Twitter Icon @CVEreport CVE-2021-1408 : Multiple vulnerabilities in the web-based management interface of Cisco Unified Communications Mana… twitter.com/i/web/status/1… 2021-04-08 04:19:36