CVE-2021-1254 – Cisco Finesse Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2021-1254
Multiple vulnerabilities in the web-based management interface of Cisco Finesse could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit these vulnerabilities by injecting malicious code into the web-based management interface and persuading a user to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. An attacker needs valid administrator credentials to inject the malicious script code. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-finesse-strd-xss-bUKqffFW • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-1245 – Cisco Finesse OpenSocial Gadget Editor Cross-Site Scripting Vulnerability
https://notcve.org/view.php?id=CVE-2021-1245
Multiple vulnerabilities in the web-based management interface of Cisco Finesse could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack and obtain potentially confidential information by leveraging a flaw in the authentication mechanism. For more information about these vulnerabilities, see the Details section of this advisory. Múltiples vulnerabilidades en la interfaz de administración basada en web de Cisco Finesse, podrían permitir a un atacante remoto no autenticado llevar a cabo un ataque de tipo cross-site scripting (XSS) y obtener información potencialmente confidencial aprovechando un fallo en el mecanismo de autenticación. Para más información sobre estas vulnerabilidades, consulte la sección Detalles de este aviso. Cisco Finesse and Cisco Unified CVP OpenSocial Gadget Editor Cross-Site Scripting Vulnerability A vulnerability in the web-based management interface of Cisco Finesse and Cisco Unified CVP could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability exists because the web-based management interface does not properly validate user-supplied input. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-multi-vuln-finesse-qp6gbUO2 https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-multi-vuln-finesse-qp6gbUO2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-306: Missing Authentication for Critical Function •
CVE-2021-1246 – Cisco Finesse OpenSocial Gadget Editor Unauthenticated Access Vulnerability
https://notcve.org/view.php?id=CVE-2021-1246
Multiple vulnerabilities in the web-based management interface of Cisco Finesse could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack and obtain potentially confidential information by leveraging a flaw in the authentication mechanism. For more information about these vulnerabilities, see the Details section of this advisory. Múltiples vulnerabilidades en la interfaz de administración basada en web de Cisco Finesse, podrían permitir a un atacante remoto no autenticado llevar a cabo un ataque de tipo cross-site scripting (XSS) y obtener información potencialmente confidencial aprovechando un fallo en el mecanismo de autenticación. Para más información sobre estas vulnerabilidades, consulte la sección Detalles de este aviso. Cisco Finesse, Cisco Virtualized Voice Browser, and Cisco Unified CVP OpenSocial Gadget Editor Unauthenticated Access Vulnerability A vulnerability in the web management interface of Cisco Finesse, Cisco Virtualized Voice Browser, and Cisco Unified CVP could allow an unauthenticated, remote attacker to access the OpenSocial Gadget Editor without providing valid user credentials. The vulnerability is due to missing authentication for a specific section of the web-based management interface. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-multi-vuln-finesse-qp6gbUO2 https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-multi-vuln-finesse-qp6gbUO2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-306: Missing Authentication for Critical Function •
CVE-2019-15278 – Cisco Finesse Cross-Site Scripting Vulnerability
https://notcve.org/view.php?id=CVE-2019-15278
A vulnerability in the web-based management interface of Cisco Finesse could allow an unauthenticated, remote attacker to bypass authorization and access sensitive information related to the device. The vulnerability exists because the software fails to sanitize URLs before it handles requests. An attacker could exploit this vulnerability by submitting a crafted URL. A successful exploit could allow the attacker to gain unauthorized access to sensitive information. Una vulnerabilidad en la interfaz de administración basada en web de Cisco Finesse, podría permitir a un atacante remoto no autenticado omitir la autorización y acceder a información confidencial relacionada con el dispositivo. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200108-finesse-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-12632 – Cisco Finesse Request Processing Server-Side Request Forgery Vulnerability
https://notcve.org/view.php?id=CVE-2019-12632
A vulnerability in Cisco Finesse could allow an unauthenticated, remote attacker to bypass access controls and conduct a server-side request forgery (SSRF) attack on an affected system. The vulnerability exists because the affected system does not properly validate user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to a user of the web application. A successful exploit could allow the attacker to access the system and perform unauthorized actions. Una vulnerabilidad en Cisco Finesse, podría permitir a un atacante remoto no autenticado omitir los controles de acceso y conducir un ataque de tipo server-side request forgery (SSRF) en un sistema afectado. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190904-finesse-ssrf • CWE-20: Improper Input Validation CWE-918: Server-Side Request Forgery (SSRF) •