Cisco Unified Contact Center Express vulnerabilities

CVE-2021-44228 [CRITICAL] CWE-20 CVE-2021-44228: Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LD

CVE-2021-1395 [MEDIUM] CWE-79 CVE-2021-1395: A vulnerability in the web-based management interface of Cisco Unified Intelligence Center could all A vulnerability in the web-based management interface of Cisco Unified Intelligence Center could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could

CVE-2021-1463 [MEDIUM] CWE-79 CVE-2021-1463: A vulnerability in the web-based management interface of Cisco Unified Intelligence Center Software A vulnerability in the web-based management interface of Cisco Unified Intelligence Center Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacke

CVE-2019-1888 [HIGH] CWE-434 CVE-2019-1888: A vulnerability in the Administration Web Interface of Cisco Unified Contact Center Express (Unified A vulnerability in the Administration Web Interface of Cisco Unified Contact Center Express (Unified CCX) could allow an authenticated, remote attacker to upload arbitrary files and execute commands on the underlying operating system. To exploit this vulnerability, an attacker needs valid Administrator credentials. The vulnerability is due to insufficie

CVE-2020-3267 [HIGH] CWE-285 CVE-2020-3267: A vulnerability in the API subsystem of Cisco Unified Contact Center Express (Unified CCX) could all A vulnerability in the API subsystem of Cisco Unified Contact Center Express (Unified CCX) could allow an authenticated, remote attacker to change the availability state of any agent. The vulnerability is due to insufficient authorization enforcement on an affected system. An attacker could exploit this vulnerability by authenticating to an affected sys

CVE-2020-3280 [CRITICAL] CWE-20 CVE-2020-3280: A vulnerability in the Java Remote Management Interface of Cisco Unified Contact Center Express (Uni A vulnerability in the Java Remote Management Interface of Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerabil

CVE-2020-3177 [HIGH] CWE-22 CVE-2020-3177: A vulnerability in the Tool for Auto-Registered Phones Support (TAPS) of Cisco Unified Communication A vulnerability in the Tool for Auto-Registered Phones Support (TAPS) of Cisco Unified Communications Manager (UCM) and Cisco Unified Communications Manager Session Management Edition (SME) could allow an unauthenticated, remote attacker to conduct directory traversal attacks on an affected device. The vulnerability is due to insufficient validation of u

CVE-2019-15278 [MEDIUM] CWE-79 CVE-2019-15278: A vulnerability in the web-based management interface of Cisco Finesse could allow an unauthenticate A vulnerability in the web-based management interface of Cisco Finesse could allow an unauthenticated, remote attacker to bypass authorization and access sensitive information related to the device. The vulnerability exists because the software fails to sanitize URLs before it handles requests. An attacker could exploit this vulnerability by submitti

CVE-2019-15259 [MEDIUM] CWE-113 CVE-2019-15259: A vulnerability in Cisco Unified Contact Center Express (UCCX) Software could allow an unauthenticat A vulnerability in Cisco Unified Contact Center Express (UCCX) Software could allow an unauthenticated, remote attacker to conduct an HTTP response splitting attack. The vulnerability is due to insufficient input validation of some parameters that are passed to the web server of the affected system. An attacker could exploit this vulnerability by co

CVE-2019-12633 [HIGH] CWE-20 CVE-2019-12633: A vulnerability in Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated A vulnerability in Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to bypass access controls and conduct a server-side request forgery (SSRF) attack on a targeted system. The vulnerability is due to improper validation of user-supplied input on the affected system. An attacker could exploit this vulner

CVE-2019-12626 [MEDIUM] CWE-20 CVE-2019-12626: A vulnerability in the web-based management interface of Cisco Unified Contact Center Express (Unifi A vulnerability in the web-based management interface of Cisco Unified Contact Center Express (Unified CCX) could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied

CVE-2018-0403 [CRITICAL] CWE-79 CVE-2018-0403: Multiple vulnerabilities in the web-based management interface of Cisco Unified Contact Center Expre Multiple vulnerabilities in the web-based management interface of Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to retrieve a cleartext password. Cisco Bug IDs: CSCvg71040.

CVE-2018-0402 [HIGH] CWE-79 CVE-2018-0402: Multiple vulnerabilities in the web-based management interface of Cisco Unified Contact Center Expre Multiple vulnerabilities in the web-based management interface of Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack. Cisco Bug IDs: CSCvg70921.

CVE-2018-0401 [MEDIUM] CWE-79 CVE-2018-0401: Multiple vulnerabilities in the web-based management interface of Cisco Unified Contact Center Expre Multiple vulnerabilities in the web-based management interface of Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. Cisco Bug IDs: CSCvg70967.

CVE-2018-0400 [MEDIUM] CWE-79 CVE-2018-0400: Multiple vulnerabilities in the web-based management interface of Cisco Unified Contact Center Expre Multiple vulnerabilities in the web-based management interface of Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. Cisco Bug IDs: CSCvg70904.

CVE-2017-6779 [HIGH] CWE-399 CVE-2017-6779: Multiple Cisco products are affected by a vulnerability in local file management for certain system Multiple Cisco products are affected by a vulnerability in local file management for certain system log files of Cisco collaboration products that could allow an unauthenticated, remote attacker to cause high disk utilization, resulting in a denial of service (DoS) condition. The vulnerability occurs because a certain system log file does not have a maxi

CVE-2017-6722 [MEDIUM] CWE-287 CVE-2017-6722: A vulnerability in the Extensible Messaging and Presence Protocol (XMPP) service of Cisco Unified Co A vulnerability in the Extensible Messaging and Presence Protocol (XMPP) service of Cisco Unified Contact Center Express (UCCx) could allow an unauthenticated, remote attacker to masquerade as a legitimate user, aka a Clear Text Authentication Vulnerability. More Information: CSCuw86638. Known Affected Releases: 10.6(1). Known Fixed Releases: 11.5(1.1

CVE-2016-6427 [HIGH] CWE-352 CVE-2016-6427: Cross-site request forgery (CSRF) vulnerability in Cisco Unified Intelligence Center (CUIC) 8.5.4 th Cross-site request forgery (CSRF) vulnerability in Cisco Unified Intelligence Center (CUIC) 8.5.4 through 9.1(1), as used in Unified Contact Center Express 10.0(1) through 11.0(1), allows remote attackers to hijack the authentication of arbitrary users, aka Bug IDs CSCuy75036 and CSCuy81654.

CVE-2016-6425 [MEDIUM] CWE-79 CVE-2016-6425: Cross-site scripting (XSS) vulnerability in Cisco Unified Intelligence Center (CUIC) 8.5.4 through 9 Cross-site scripting (XSS) vulnerability in Cisco Unified Intelligence Center (CUIC) 8.5.4 through 9.1(1), as used in Unified Contact Center Express 10.0(1) through 11.0(1), allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug IDs CSCuy75020 and CSCuy81652.

CVE-2016-6426 [HIGH] CWE-20 CVE-2016-6426: The j_spring_security_switch_user function in Cisco Unified Intelligence Center (CUIC) 8.5.4 through The j_spring_security_switch_user function in Cisco Unified Intelligence Center (CUIC) 8.5.4 through 9.1(1), as used in Unified Contact Center Express 10.0(1) through 11.0(1), allows remote attackers to create user accounts by visiting an unspecified web page, aka Bug IDs CSCuy75027 and CSCuy81653.