Cisco Unified Contact Center Enterprise
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Cisco Unified Contact Center Enterprise.
Recent Cisco Unified Contact Center Enterprise Security Advisories
| Advisory | Title | Published |
|---|---|---|
| 2026-01-21 | Cisco Packaged Contact Center Enterprise and Cisco Unified Contact Center Enterprise Cross-Site Scripting Vulnerabilities | January 21, 2026 |
| 2025-05-21 | Cisco Unified Contact Center Enterprise Cloud Connect Insufficient Access Control Vulnerability | May 21, 2025 |
By the Year
In 2026 there have been 2 vulnerabilities in Cisco Unified Contact Center Enterprise with an average score of 4.8 out of ten. Last year, in 2025 Unified Contact Center Enterprise had 2 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Unified Contact Center Enterprise in 2026 could surpass last years number. Last year, the average CVE base score was greater by 1.90
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 2 | 4.80 |
| 2025 | 2 | 6.70 |
| 2024 | 0 | 0.00 |
| 2023 | 4 | 6.10 |
| 2022 | 0 | 0.00 |
| 2021 | 2 | 7.35 |
| 2020 | 1 | 5.90 |
It may take a day or so for new Unified Contact Center Enterprise vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Cisco Unified Contact Center Enterprise Security Vulnerabilities
Cisco Packaged CCE XSS via Authenticated Web UI
CVE-2026-20109
4.8 - Medium
- January 21, 2026
Multiple vulnerabilities in the web-based management interface of Cisco Packaged Contact Center Enterprise (Packaged CCE) and Cisco Unified Contact Center Enterprise (Unified CCE) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. These vulnerabilities exist because the web-based management interface does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit these vulnerabilities, the attacker must have valid administrative credentials.
XSS
Cisco CCE Web UI XSS via Improper Input Validation
CVE-2026-20055
4.8 - Medium
- January 21, 2026
Multiple vulnerabilities in the web-based management interface of Cisco Packaged Contact Center Enterprise (Packaged CCE) and Cisco Unified Contact Center Enterprise (Unified CCE) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. These vulnerabilities exist because the web-based management interface does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit these vulnerabilities, the attacker must have valid administrative credentials.
XSS
CVE-2025-20377: Authenticated API Info Leak in Cisco UIC
CVE-2025-20377
4.3 - Medium
- November 05, 2025
A vulnerability in the API subsystem of Cisco Unified Intelligence Center could allow an authenticated, remote attacker to obtain sensitive information from an affected system. This vulnerability is due to improper validation of requests to certain API endpoints. An attacker could exploit this vulnerability by sending a valid request to a specific API endpoint within the affected system. A successful exploit could allow a low-privileged user to view sensitive information on the affected system that should be restricted. To exploit this vulnerability, the attacker must have valid user credentials on the affected system.
Information Disclosure
Cisco CCE Cloud Connect Auth Bypass Vulnerability
CVE-2025-20242
9.1 - Critical
- May 21, 2025
A vulnerability in the Cloud Connect component of Cisco Unified Contact Center Enterprise (CCE) could allow an unauthenticated, remote attacker to read and modify data on an affected device. This vulnerability is due to a lack of proper authentication controls. An attacker could exploit this vulnerability by sending crafted TCP data to a specific port on an affected device. A successful exploit could allow the attacker to read or modify data on the affected device.
Authorization
HTTP/2 DoS via Stream Reset in nginx
CVE-2023-44487
7.5 - High
- October 10, 2023
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Resource Exhaustion
Cisco Unified Intelligence Center SSRF & Info Disclosure
CVE-2023-20062
4.3 - Medium
- March 03, 2023
Multiple vulnerabilities in Cisco Unified Intelligence Center could allow an authenticated, remote attacker to collect sensitive information or perform a server-side request forgery (SSRF) attack on an affected system. Cisco plans to release software updates that address these vulnerabilities.
SSRF
Cisco Unified Intell. Center SSRF & Info Disclosure (CVE-2023-20061)
CVE-2023-20061
6.5 - Medium
- March 03, 2023
Multiple vulnerabilities in Cisco Unified Intelligence Center could allow an authenticated, remote attacker to collect sensitive information or perform a server-side request forgery (SSRF) attack on an affected system. Cisco plans to release software updates that address these vulnerabilities.
Exposure of Resource to Wrong Sphere
Unauthenticated XSS in Cisco Unified Intelligence Center Web UI
CVE-2023-20058
6.1 - Medium
- January 20, 2023
A vulnerability in the web-based management interface of Cisco Unified Intelligence Center could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information.
XSS
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2
CVE-2021-44228
10 - Critical
- December 10, 2021
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Marshaling, Unmarshaling
A vulnerability in the web-based management interface of Cisco Unified Intelligence Center could
CVE-2021-1395
4.7 - Medium
- June 16, 2021
A vulnerability in the web-based management interface of Cisco Unified Intelligence Center could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information.
XSS
A vulnerability in the Live Data server of Cisco Unified Contact Center Enterprise could
CVE-2020-3163
5.9 - Medium
- February 19, 2020
A vulnerability in the Live Data server of Cisco Unified Contact Center Enterprise could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability exists because the affected software improperly manages resources when processing inbound Live Data traffic. An attacker could exploit this vulnerability by sending multiple crafted Live Data packets to an affected device. A successful exploit could cause the affected device to run out of buffer resources, which could result in a stack overflow and cause the affected device to reload, resulting in a DoS condition. Note: The Live Data port in Cisco Unified Contact Center Enterprise devices allows only a single TCP connection. To exploit this vulnerability, an attacker would have to send crafted packets to an affected device before a legitimate Live Data client establishes a connection.
Race Condition
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Cisco Unified Contact Center Enterprise or by Cisco? Click the Watch button to subscribe.
