CVE-2019-1888 – Cisco Unified Contact Center Express Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2019-1888
A vulnerability in the Administration Web Interface of Cisco Unified Contact Center Express (Unified CCX) could allow an authenticated, remote attacker to upload arbitrary files and execute commands on the underlying operating system. To exploit this vulnerability, an attacker needs valid Administrator credentials. The vulnerability is due to insufficient restrictions for the content uploaded to an affected system. An attacker could exploit this vulnerability by uploading arbitrary files containing operating system commands that will be executed by an affected system. A successful exploit could allow the attacker to execute arbitrary commands with the privileges of the web interface and then elevate their privileges to root. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-uccx-privesc-Zd7bvwyf • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2019-15278 – Cisco Finesse Cross-Site Scripting Vulnerability
https://notcve.org/view.php?id=CVE-2019-15278
A vulnerability in the web-based management interface of Cisco Finesse could allow an unauthenticated, remote attacker to bypass authorization and access sensitive information related to the device. The vulnerability exists because the software fails to sanitize URLs before it handles requests. An attacker could exploit this vulnerability by submitting a crafted URL. A successful exploit could allow the attacker to gain unauthorized access to sensitive information. Una vulnerabilidad en la interfaz de administración basada en web de Cisco Finesse, podría permitir a un atacante remoto no autenticado omitir la autorización y acceder a información confidencial relacionada con el dispositivo. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200108-finesse-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-15259 – Cisco Unified Contact Center Express HTTP Response Splitting Vulnerability
https://notcve.org/view.php?id=CVE-2019-15259
A vulnerability in Cisco Unified Contact Center Express (UCCX) Software could allow an unauthenticated, remote attacker to conduct an HTTP response splitting attack. The vulnerability is due to insufficient input validation of some parameters that are passed to the web server of the affected system. An attacker could exploit this vulnerability by convincing a user to follow a malicious link or by intercepting a user request on an affected device. A successful exploit could allow the attacker to perform cross-site scripting attacks, web cache poisoning, access sensitive browser-based information, and similar exploits. Una vulnerabilidad en el Software Cisco Unified Contact Center Express (UCCX), podría permitir a un atacante remoto no autenticado realizar un ataque de división de respuesta HTTP. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191002-uccx- • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •
CVE-2019-12633 – Cisco Unified Contact Center Express Request Processing Server-Side Request Forgery Vulnerability
https://notcve.org/view.php?id=CVE-2019-12633
A vulnerability in Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to bypass access controls and conduct a server-side request forgery (SSRF) attack on a targeted system. The vulnerability is due to improper validation of user-supplied input on the affected system. An attacker could exploit this vulnerability by sending the user of the web application a crafted request. If the request is processed, the attacker could access the system and perform unauthorized actions. Una vulnerabilidad en Cisco Unified Contact Center Express (Unified CCX) podría permitir a un atacante remoto no autenticado omitir los controles de acceso y conducir un ataque de tipo server-side request forgery (SSRF) en un sistema de destino. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190904-unified-ccx-ssrf • CWE-20: Improper Input Validation CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2018-0400
https://notcve.org/view.php?id=CVE-2018-0400
Multiple vulnerabilities in the web-based management interface of Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. Cisco Bug IDs: CSCvg70904. Múltiples vulnerabilidades en la interfaz de gestión web de Cisco Unified Contact Center Express (Unified CCX) podrían permitir que un atacante remoto sin autenticar lleve a cabo ataques de Cross-Site Scripting (XSS) contra un usuario de la interfaz. Cisco Bug IDs: CSCvg70904. • http://www.securitytracker.com/id/1041352 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-uccx • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •