Page 3 of 19 results (0.003 seconds)

CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0

A vulnerability in the web-based management interface of Cisco Unity Connection Software could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack. The vulnerability is due to insufficient input validation by the web-based management interface. An attacker could exploit this vulnerability by providing crafted data to a specific field within the interface. A successful exploit could allow the attacker to store an XSS attack within the interface. This stored XSS attack would then be executed on the system of any user viewing the attacker-supplied data element. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200122-uc-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.8EPSS: 0%CPEs: 32EXPL: 0

Multiple Cisco products are affected by a vulnerability in local file management for certain system log files of Cisco collaboration products that could allow an unauthenticated, remote attacker to cause high disk utilization, resulting in a denial of service (DoS) condition. The vulnerability occurs because a certain system log file does not have a maximum size restriction. Therefore, the file is allowed to consume the majority of available disk space on the appliance. An attacker could exploit this vulnerability by sending crafted remote connection requests to the appliance. Successful exploitation could allow the attacker to increase the size of a system log file so that it consumes most of the disk space. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-diskdos • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

A vulnerability in the web framework of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the web interface of an affected system. The vulnerability is due to insufficient input validation of certain parameters that are passed to the affected software via the HTTP GET and HTTP POST methods. An attacker who can convince a user to follow an attacker-supplied link could execute arbitrary script or HTML code in the user's browser in the context of an affected site. Known Affected Releases 10.5(2). Cisco Bug IDs: CSCvf25345. • http://www.securityfocus.com/bid/100645 http://www.securitytracker.com/id/1039277 https://quickview.cloudapps.cisco.com/quickview/bug/CSCvf25345 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170906-cuc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0

A vulnerability in the ImageID parameter of Cisco Unity Connection 10.5(2) could allow an unauthenticated, remote attacker to access files in arbitrary locations on the filesystem of an affected device. The issue is due to improper sanitization of user-supplied input in HTTP POST parameters that describe filenames. An attacker could exploit this vulnerability by using directory traversal techniques to submit a path to a desired file location. Cisco Bug IDs: CSCvd90118. Una vulnerabilidad en el parámetro ImageID de Cisco Unity Connection 10.5 (2) podría permitir a un atacante remoto no autenticado acceder a archivos en ubicaciones arbitrarias en el sistema de archivos de un dispositivo afectado. • http://www.securityfocus.com/bid/98286 http://www.securitytracker.com/id/1038400 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170503-cuc • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0

Cross-site scripting (XSS) vulnerability in Cisco Unity Connection through 11.0 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCus21776. Vulnerabilidad de XSS en Cisco Unity Connection hasta la versión 11.0 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de parámetros no especificados, también conocida como Bug ID CSCus21776. • http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160412-unity http://www.securitytracker.com/id/1035562 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •