Cross-site scripting attacks in web-based management interface - CVE-2016-1439
Published: June 27, 2016 / Updated: July 11, 2016
Vulnerability identifier: #VU32
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Amber
CVE-ID: CVE-2016-1439
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor:
Affected software:
Detailed vulnerability description
The vulnerability allows a remote attacker to execute a cross-site scripting attack against a user of the web interface of an affected system.
The vulnerability exists due to insufficient input validation of a user-supplied value. A remote attacker can exploit this vulnerability by persuading a user to click on a specially crafted URL link hat, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser.
Successful exploitation of this vulnerability may lead to the access of the target user's cookies, associated with the site running the Cisco Unified Contact Center Enterprise software and access data recently submitted by the target user via web form to the site.
The vulnerability exists due to insufficient input validation of a user-supplied value. A remote attacker can exploit this vulnerability by persuading a user to click on a specially crafted URL link hat, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser.
Successful exploitation of this vulnerability may lead to the access of the target user's cookies, associated with the site running the Cisco Unified Contact Center Enterprise software and access data recently submitted by the target user via web form to the site.
How to mitigate CVE-2016-1439
Patch for this vulnerability is avaliable through the Cisco Bug Search Tool.