Multiple Cisco Finesse Cross-Site Scripting Vulnerabilities

Multiple vulnerabilities in Cisco Finesse could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks.

The vulnerabilities are due to improper input validation of certain parameters passed via HTTP GET or POST methods to an affected device. An unauthenticated, remote attacker could exploit these vulnerabilities by convincing a user to follow a malicious link. A successful exploit could allow the attacker to execute arbitrary code in the context of the affected site or allow the attacker to access sensitive browser-based information.

Cisco has confirmed the vulnerabilities and has released updated software.

To exploit the vulnerabilities, the attacker may provide a link that directs a user to a malicious site or provide a crafted file intended to submit malicious input to the affected software to a user and use misleading language or instructions to persuade the user to follow the provided link or open the provided file.

Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.