CVE-2024-20405Improper Input Validation in Cisco Finesse

CWE-20Improper Input ValidationCWE-79Cross-site ScriptingCWE-918Server-Side Request Forgery4 documents4 sources
Severity
6.1MEDIUMNVD
CNA4.8
EPSS
0.9%
top 24.95%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Cisco FinesseCisco FinesseCisco Packaged Contact Center Enterprise+2 more
Timeline
PublishedJun 5

Description

A vulnerability in the web-based management interface of Cisco Finesse could allow an unauthenticated, remote attacker to conduct a stored XSS attack by exploiting an RFI vulnerability. This vulnerability is due to insufficient validation of user-supplied input for specific HTTP requests that are sent to an affected device. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in t

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages5 packages

NVDcisco/finesse< 11.6\(1\)+2
CVEListV5cisco/cisco_finesse12.6(2), 12.6(2)ES1, 12.6(2)ES2+2

🔴Vulnerability Details

2
GHSA
GHSA-gg5f-6jp8-fpqw: A vulnerability in the web-based management interface of Cisco Finesse could allow an unauthenticated, remote attacker to conduct a stored XSS attack2024-06-05
CVEList
CVE-2024-20405: A vulnerability in the web-based management interface of Cisco Finesse could allow an unauthenticated, remote attacker to conduct a stored XSS attack2024-06-05

📋Vendor Advisories

1
Cisco
Cisco Finesse Web-Based Management Interface Vulnerabilities2024-06-05
CVE-2024-20405 — Improper Input Validation in Cisco | cvebase