Main Vulnerability Database Vulnerabilities #VU13205

#VU13205 Cross-frame scripting in Unified Communications Manager (CallManager) - CVE-2018-0355

Published: June 7, 2018

Vulnerability identifier: #VU13205

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-0355

CWE-ID: CWE-59

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Unified Communications Manager (CallManager)

Software vendor:
Cisco Systems, Inc

Description

The vulnerability allows a remote attacker to execute a cross-frame scripting (XFS) attack.

The weakness exists in the web UI of Cisco Unified Communications Manager (Unified CM) due to insufficient protections for HTML inline frames (iframes) by the web UI. A remote attacker can trick the victim into visiting a specially crafted website, conduct XFS-attack and conduct click-jacking or other client-side browser attacks on the affected system.

Remediation

Update to versions 11.5(1.15900.8), 12.5(0.98000.666), 12.5(0.98000.667)

External links

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-cucm-xfs

#VU13205 Cross-frame scripting in Unified Communications Manager (CallManager) - CVE-2018-0355

Description

Remediation

External links

Please verify you're human