Lucene search

[email protected]CVE-2024-20405

HistoryJun 05, 2024 - 5:15 p.m.

CVE-2024-20405

2024-06-0517:15:12

CWE-20

CWE-79

[email protected]

web.nvd.nist.gov

vulnerability

cisco finesse

web-based

remote attacker

stored xss

rfi

user validation

crafted link

arbitrary script code

sensitive information

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.3 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.1%

JSON

A vulnerability in the web-based management interface of Cisco Finesse could allow an unauthenticated, remote attacker to conduct a stored XSS attack by exploiting an RFI vulnerability.

This vulnerability is due to insufficient validation of user-supplied input for specific HTTP requests that are sent to an affected device. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive information on the affected device.

Affected configurations

NVD

Node

ciscofinesseRange<11.6\(1\)

ciscofinesseMatch11.6\(1\)-

ciscofinesseMatch11.6\(1\)es4

ciscofinesseMatch11.6\(1\)es5

ciscofinesseMatch11.6\(1\)es6

ciscofinesseMatch11.6\(1\)es7

ciscofinesseMatch11.6\(1\)es8

ciscofinesseMatch12.6\(2\)-

ciscofinesseMatch12.6\(2\)es01

ciscofinesseMatch12.6\(2\)es02

CPENameOperatorVersion
cisco:finessecisco finesselt11.6\(1\)
cisco:finessecisco finesseeq12.6\(2\)

CPE	Name	Operator	Version
cisco:finesse	cisco finesse	lt	11.6\(1\)
cisco:finesse	cisco finesse	eq	12.6\(2\)

CNA Affected

[
  {
    "vendor": "Cisco",
    "product": "Cisco Unified Contact Center Enterprise",
    "versions": [
      {
        "version": "N/A",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "Cisco",
    "product": "Cisco Unified Contact Center Express",
    "versions": [
      {
        "version": "N/A",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "Cisco",
    "product": "Cisco Finesse",
    "versions": [
      {
        "version": "12.6(2)",
        "status": "affected"
      },
      {
        "version": "12.6(2)ES1",
        "status": "affected"
      },
      {
        "version": "12.6(2)ES2",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "Cisco",
    "product": "Cisco Packaged Contact Center Enterprise",
    "versions": [
      {
        "version": "N/A",
        "status": "affected"
      }
    ]
  }
]

References

sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-finesse-ssrf-rfi-Um7wT8Ew

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.3 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.1%

JSON

Related for CVE-2024-20405

nvd1 vulnrichment1 cvelist1 cisco1