SB2025052220 - Multiple vulnerabilities in Cisco Unified Intelligence Center and Unified Contact Center Express

Security Bulletin ID SB2025052220

Severity

Medium

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Client-Side Enforcement of Server-Side Security (CVE-ID: CVE-2025-20113)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to insufficient server-side validation of user-supplied parameters in API or HTTP requests. A remote user can access, modify, or delete data beyond the sphere of their intended access level.

2) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-20114)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to insufficient validation of user-supplied parameters in API requests. A remote user can perform insecure direct object reference attack and gain access to specific data that is associated with different users on the affected system.

Remediation

Install update from vendor's website.

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cuis-priv-esc-3Pk96SU4