Vulnerability identifier: #VU13205

Vulnerability risk: Low

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-0355

CWE-ID: CWE-59

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Unified Communications Manager (CallManager)
Server applications / Remote management servers, RDP, SSH

Vendor: Cisco Systems, Inc

Description
The vulnerability allows a remote attacker to execute a cross-frame scripting (XFS) attack.

The weakness exists in the web UI of Cisco Unified Communications Manager (Unified CM) due to  insufficient protections for HTML inline frames (iframes) by the web UI. A remote attacker can trick the victim into visiting a specially crafted website, conduct XFS-attack and conduct click-jacking or other client-side browser attacks on the affected system.

Mitigation
Update to versions 11.5(1.15900.8), 12.5(0.98000.666), 12.5(0.98000.667)

Vulnerable software versions

Unified Communications Manager (CallManager): 11.5.1.10000.6

---

External links
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-cucm-xfs

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.