In recent news, a vulnerability has been identified in the web-based management interface of the Cisco Unified Contact Center Management Portal (Unified CCMP). This vulnerability could potentially allow an authenticated, remote attacker with low privileges to carry out a stored cross-site scripting (XSS) attack against a user of the interface.
The vulnerability stems from a lack of proper validation of user-supplied input in the web-based management interface. This oversight creates an opportunity for an attacker to inject malicious code into a specific page of the interface. By successfully exploiting this vulnerability, the attacker could execute arbitrary script code within the affected interface’s context or gain access to sensitive browser-based information. It is important to note that to exploit this vulnerability, the attacker must have at least a Supervisor role on the affected device.
In response to this security concern, Cisco has promptly released software updates to address the identified vulnerability. It is crucial for users to apply these updates to mitigate the risk posed by this vulnerability as there are no known workarounds available.
At the time of publication, the affected product was Cisco Unified CCMP, irrespective of device configuration. Users are encouraged to refer to the advisory for detailed information on the vulnerable Cisco software releases. It is vital for users to be aware that only products listed in the Vulnerable Products section of the advisory are known to be affected by this particular vulnerability. Cisco has confirmed that the vulnerability does not impact Cisco Finesse.
When considering software upgrades, customers are advised to consult the advisories for Cisco products regularly to determine exposure and obtain a complete upgrade solution. Customers should also ensure that the devices to be upgraded have sufficient memory and that current hardware and software configurations will be supported by the new release.
The fixed releases provided by Cisco include specific versions for different releases of Cisco Unified CCMP. Customers are advised to migrate to the fixed release corresponding to their current software version to address the identified vulnerability.
The initial public release of this advisory was made on the 6th of November 2024, signifying the importance of timely information dissemination to users to take necessary preventive actions. Cisco has also outlined their Security Vulnerability Policy, enabling users to understand the disclosure policies and procedures in place.
In conclusion, it is crucial for users of Cisco Unified Contact Center Management Portal to be vigilant about applying the necessary software updates provided by Cisco to address the identified vulnerability. By staying informed and taking proactive measures, users can enhance the security of their systems and mitigate potential risks associated with such vulnerabilities.