Sign-up

ID

VAR-201601-0042


CVE

CVE-2016-1298


TITLE

Cisco Unified Contact Center Express Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2016-001330

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in Cisco Unified Contact Center Express 10.0(1), 10.5(1), 10.6(1), and 11.0(1) allow remote attackers to inject arbitrary web script or HTML via vectors related to permalinks, aka Bug ID CSCux92033. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCux92033. This component integrates agent application and self-service voice service, and provides functions such as call distribution and customer access control. The following releases are affected: Cisco Unified CCX Release 10.0(1), Release 10.5(1), Release 10.6(1), Release 11.0(1)

Trust: 2.07

sources: NVD: CVE-2016-1298 // JVNDB: JVNDB-2016-001330 // BID: 81798 // VULHUB: VHN-90117 // VULMON: CVE-2016-1298

AFFECTED PRODUCTS

vendor:ciscomodel:unified contact center expressscope:eqversion:10.0\(1\)

Trust: 1.6

vendor:ciscomodel:unified contact center expressscope:eqversion:10.6\(1\)

Trust: 1.6

vendor:ciscomodel:unified contact center expressscope:eqversion:11.0\(1\)

Trust: 1.6

vendor:ciscomodel:unified contact center expressscope:eqversion:10.5\(1\)

Trust: 1.6

vendor:ciscomodel:unified contact center expressscope:eqversion:11.0(1)

Trust: 1.1

vendor:ciscomodel:unified contact center expressscope:eqversion:10.6(1)

Trust: 1.1

vendor:ciscomodel:unified contact center expressscope:eqversion:10.5(1)

Trust: 1.1

vendor:ciscomodel:unified contact center expressscope:eqversion:10.0(1)

Trust: 1.1

sources: BID: 81798 // JVNDB: JVNDB-2016-001330 // CNNVD: CNNVD-201601-631 // NVD: CVE-2016-1298

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-1298
value: MEDIUM

Trust: 1.0

NVD: CVE-2016-1298
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201601-631
value: MEDIUM

Trust: 0.6

VULHUB: VHN-90117
value: MEDIUM

Trust: 0.1

VULMON: CVE-2016-1298
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2016-1298
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-90117
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2016-1298
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.0

sources: VULHUB: VHN-90117 // VULMON: CVE-2016-1298 // JVNDB: JVNDB-2016-001330 // CNNVD: CNNVD-201601-631 // NVD: CVE-2016-1298

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-90117 // JVNDB: JVNDB-2016-001330 // NVD: CVE-2016-1298

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201601-631

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201601-631

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-001330

PATCH
title:cisco-sa-20160125-ucceurl:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160125-ucce
Trust: 0.8
title:Cisco: Cisco Unified Contact Center Express Cross-Site Scripting Vulnerabilityurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-20160125-ucce
Trust: 0.1
sources:
            
            
            VULMON: CVE-2016-1298 // 
            
            
            
            JVNDB: JVNDB-2016-001330

EXTERNAL IDS
db:NVDid:CVE-2016-1298
Trust: 2.9
db:SECTRACKid:1034828
Trust: 1.2
db:JVNDBid:JVNDB-2016-001330
Trust: 0.8
db:CNNVDid:CNNVD-201601-631
Trust: 0.7
db:BIDid:81798
Trust: 0.5
db:VULHUBid:VHN-90117
Trust: 0.1
db:VULMONid:CVE-2016-1298
Trust: 0.1
sources:
            
            
            VULHUB: VHN-90117 // 
            
            
            
            VULMON: CVE-2016-1298 // 
            
            
            
            BID: 81798 // 
            
            
            
            JVNDB: JVNDB-2016-001330 // 
            
            
            
            CNNVD: CNNVD-201601-631 // 
            
            
            
            NVD: CVE-2016-1298

REFERENCES
url:http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20160125-ucce
Trust: 2.2
url:http://www.securitytracker.com/id/1034828
Trust: 1.2
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-1298
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-1298
Trust: 0.8
url:http://www.cisco.com/
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/79.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://www.securityfocus.com/bid/81798
Trust: 0.1
sources:
            
            
            VULHUB: VHN-90117 // 
            
            
            
            VULMON: CVE-2016-1298 // 
            
            
            
            BID: 81798 // 
            
            
            
            JVNDB: JVNDB-2016-001330 // 
            
            
            
            CNNVD: CNNVD-201601-631 // 
            
            
            
            NVD: CVE-2016-1298

CREDITS
Cisco
Trust: 0.3
sources:
            
            
            BID: 81798

SOURCES
db:VULHUBid:VHN-90117
db:VULMONid:CVE-2016-1298
db:BIDid:81798
db:JVNDBid:JVNDB-2016-001330
db:CNNVDid:CNNVD-201601-631
db:NVDid:CVE-2016-1298

LAST UPDATE DATE
2024-11-23T21:54:45.719000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-90117date:2016-12-07T00:00:00
db:VULMONid:CVE-2016-1298date:2016-12-07T00:00:00
db:BIDid:81798date:2016-01-25T00:00:00
db:JVNDBid:JVNDB-2016-001330date:2016-01-27T00:00:00
db:CNNVDid:CNNVD-201601-631date:2016-01-27T00:00:00
db:NVDid:CVE-2016-1298date:2024-11-21T02:46:08.447

SOURCES RELEASE DATE
db:VULHUBid:VHN-90117date:2016-01-26T00:00:00
db:VULMONid:CVE-2016-1298date:2016-01-26T00:00:00
db:BIDid:81798date:2016-01-25T00:00:00
db:JVNDBid:JVNDB-2016-001330date:2016-01-27T00:00:00
db:CNNVDid:CNNVD-201601-631date:2016-01-27T00:00:00
db:NVDid:CVE-2016-1298date:2016-01-26T05:59:01.223