CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-1685 – Cisco Unity Connection Reflected Cross-Site Scripting Vulnerability
https://notcve.org/view.php?id=CVE-2019-1685
21 Feb 2019 — A vulnerability in the Security Assertion Markup Language (SAML) single sign-on (SSO) interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful expl... • http://www.securityfocus.com/bid/107102 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-15396 – Cisco Unity Connection File Upload Denial of Service Vulnerability
https://notcve.org/view.php?id=CVE-2018-15396
05 Oct 2018 — A vulnerability in the Bulk Administration Tool (BAT) for Cisco Unity Connection could allow an authenticated, remote attacker to cause high disk utilization, resulting in a denial of service (DoS) condition. The vulnerability exists because the affected software does not restrict the maximum size of certain files that can be written to disk. An attacker who has valid administrator credentials for an affected system could exploit this vulnerability by sending a crafted, remote connection request to an affec... • http://www.securitytracker.com/id/1041782 • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.4EPSS: 0%CPEs: 12EXPL: 0CVE-2018-15403 – Multiple Cisco Unified Communications Products Open Redirect Vulnerability
https://notcve.org/view.php?id=CVE-2018-15403
05 Oct 2018 — A vulnerability in the web interface of Cisco Emergency Responder, Cisco Unified Communications Manager, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an authenticated, remote attacker to redirect a user to a malicious web page. The vulnerability is due to improper input validation of the parameters of an HTTP request. An attacker could exploit this vulnerability by crafting an HTTP request that causes the web interface to redirect a request to a specific... • http://www.securitytracker.com/id/1041780 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-15426 – Cisco Unity Connection Stored Cross-Site Scripting Vulnerability
https://notcve.org/view.php?id=CVE-2018-15426
05 Oct 2018 — A vulnerability in the web-based interface of Cisco Unity Connection could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based interface of the affected software. The vulnerability is due to insufficient validation of user-supplied input that is processed by the web-based interface of the affected software. An attacker could exploit this vulnerability by persuading a user of the web-based interface to click a malicious link. A success... • http://www.securitytracker.com/id/1041781 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-0354
https://notcve.org/view.php?id=CVE-2018-0354
07 Jun 2018 — A vulnerability in the web framework of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web interface of an affected system. The vulnerability is due to insufficient input validation of certain parameters that are passed to the affected software via the HTTP GET and HTTP POST methods. An attacker who can convince a user to follow an attacker-supplied link could execute arbitrary script or HTML code in the user's br... • http://www.securityfocus.com/bid/104426 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 32EXPL: 0CVE-2017-6779
https://notcve.org/view.php?id=CVE-2017-6779
07 Jun 2018 — Multiple Cisco products are affected by a vulnerability in local file management for certain system log files of Cisco collaboration products that could allow an unauthenticated, remote attacker to cause high disk utilization, resulting in a denial of service (DoS) condition. The vulnerability occurs because a certain system log file does not have a maximum size restriction. Therefore, the file is allowed to consume the majority of available disk space on the appliance. An attacker could exploit this vulner... • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-diskdos • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2018-0203
https://notcve.org/view.php?id=CVE-2018-0203
22 Feb 2018 — A vulnerability in the SMTP relay of Cisco Unity Connection could allow an unauthenticated, remote attacker to send unsolicited email messages, aka a Mail Relay Vulnerability. The vulnerability is due to improper handling of domain information in the affected software. An unauthenticated, remote attacker could exploit this vulnerability by sending crafted requests to the targeted application. A successful exploit could allow the attacker to send email messages to arbitrary addresses. Cisco Bug IDs: CSCvg622... • http://www.securityfocus.com/bid/103142 • CWE-19: Data Processing Errors •
CVSS: 10.0EPSS: 12%CPEs: 12EXPL: 0CVE-2017-12337
https://notcve.org/view.php?id=CVE-2017-12337
16 Nov 2017 — A vulnerability in the upgrade mechanism of Cisco collaboration products based on the Cisco Voice Operating System software platform could allow an unauthenticated, remote attacker to gain unauthorized, elevated access to an affected device. The vulnerability occurs when a refresh upgrade (RU) or Prime Collaboration Deployment (PCD) migration is performed on an affected device. When a refresh upgrade or PCD migration is completed successfully, an engineering flag remains enabled and could allow root access ... • http://www.securityfocus.com/bid/101865 • CWE-287: Improper Authentication •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-12212
https://notcve.org/view.php?id=CVE-2017-12212
07 Sep 2017 — A vulnerability in the web framework of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the web interface of an affected system. The vulnerability is due to insufficient input validation of certain parameters that are passed to the affected software via the HTTP GET and HTTP POST methods. An attacker who can convince a user to follow an attacker-supplied link could execute arbitrary script or HTML code in the u... • http://www.securityfocus.com/bid/100645 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 1%CPEs: 1EXPL: 0CVE-2017-6629
https://notcve.org/view.php?id=CVE-2017-6629
03 May 2017 — A vulnerability in the ImageID parameter of Cisco Unity Connection 10.5(2) could allow an unauthenticated, remote attacker to access files in arbitrary locations on the filesystem of an affected device. The issue is due to improper sanitization of user-supplied input in HTTP POST parameters that describe filenames. An attacker could exploit this vulnerability by using directory traversal techniques to submit a path to a desired file location. Cisco Bug IDs: CSCvd90118. Una vulnerabilidad en el parámetro Ima... • http://www.securityfocus.com/bid/98286 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •