CVE-2021-1254 – Cisco Finesse Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2021-1254
Multiple vulnerabilities in the web-based management interface of Cisco Finesse could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit these vulnerabilities by injecting malicious code into the web-based management interface and persuading a user to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. An attacker needs valid administrator credentials to inject the malicious script code. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-finesse-strd-xss-bUKqffFW • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-1245 – Cisco Finesse OpenSocial Gadget Editor Cross-Site Scripting Vulnerability
https://notcve.org/view.php?id=CVE-2021-1245
Multiple vulnerabilities in the web-based management interface of Cisco Finesse could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack and obtain potentially confidential information by leveraging a flaw in the authentication mechanism. For more information about these vulnerabilities, see the Details section of this advisory. Múltiples vulnerabilidades en la interfaz de administración basada en web de Cisco Finesse, podrían permitir a un atacante remoto no autenticado llevar a cabo un ataque de tipo cross-site scripting (XSS) y obtener información potencialmente confidencial aprovechando un fallo en el mecanismo de autenticación. Para más información sobre estas vulnerabilidades, consulte la sección Detalles de este aviso. Cisco Finesse and Cisco Unified CVP OpenSocial Gadget Editor Cross-Site Scripting Vulnerability A vulnerability in the web-based management interface of Cisco Finesse and Cisco Unified CVP could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability exists because the web-based management interface does not properly validate user-supplied input. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-multi-vuln-finesse-qp6gbUO2 https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-multi-vuln-finesse-qp6gbUO2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-306: Missing Authentication for Critical Function •
CVE-2021-1246 – Cisco Finesse OpenSocial Gadget Editor Unauthenticated Access Vulnerability
https://notcve.org/view.php?id=CVE-2021-1246
Multiple vulnerabilities in the web-based management interface of Cisco Finesse could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack and obtain potentially confidential information by leveraging a flaw in the authentication mechanism. For more information about these vulnerabilities, see the Details section of this advisory. Múltiples vulnerabilidades en la interfaz de administración basada en web de Cisco Finesse, podrían permitir a un atacante remoto no autenticado llevar a cabo un ataque de tipo cross-site scripting (XSS) y obtener información potencialmente confidencial aprovechando un fallo en el mecanismo de autenticación. Para más información sobre estas vulnerabilidades, consulte la sección Detalles de este aviso. Cisco Finesse, Cisco Virtualized Voice Browser, and Cisco Unified CVP OpenSocial Gadget Editor Unauthenticated Access Vulnerability A vulnerability in the web management interface of Cisco Finesse, Cisco Virtualized Voice Browser, and Cisco Unified CVP could allow an unauthenticated, remote attacker to access the OpenSocial Gadget Editor without providing valid user credentials. The vulnerability is due to missing authentication for a specific section of the web-based management interface. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-multi-vuln-finesse-qp6gbUO2 https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-multi-vuln-finesse-qp6gbUO2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-306: Missing Authentication for Critical Function •
CVE-2020-3159 – Cisco Finesse Web-Based Management Interface Cross-Site Scripting Vulnerability
https://notcve.org/view.php?id=CVE-2020-3159
A vulnerability in the web-based management interface of Cisco Finesse could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of the affected software. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. Una vulnerabilidad en la interfaz de administración basada en web de Cisco Finesse, podría permitir a un atacante remoto no autenticado conducir un ataque de tipo cross-site scripting (XSS) contra un usuario de la interfaz de administración basada en web del software afectado. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-finesse-xss-6OgfQkUT • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-0399
https://notcve.org/view.php?id=CVE-2018-0399
Multiple vulnerabilities in the web-based management interface of Cisco Finesse could allow an unauthenticated, remote attacker to retrieve a cleartext password from an affected system. Cisco Bug IDs: CSCvg71044. Múltiples vulnerabilidades en la interfaz de gestión web de Cisco Finesse podrían permitir que un atacante remoto sin autenticar recupere una contraseña en texto claro de un sistema afectado. Cisco Bug IDs: CSCvg71044. • http://www.securityfocus.com/bid/104886 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-finesse • CWE-264: Permissions, Privileges, and Access Controls CWE-918: Server-Side Request Forgery (SSRF) •