Cisco Unified Contact Center Express
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Cisco Unified Contact Center Express.
Recent Cisco Unified Contact Center Express Security Advisories
| Advisory | Title | Published |
|---|---|---|
| 2023-08-16 | Cisco Unified Contact Center Express Finesse Portal Web Cache Poisoning Vulnerability | August 16, 2023 |
| 2023-04-05 | Cisco Unified Contact Center Express Stored Cross-Site Scripting Vulnerability | April 5, 2023 |
By the Year
In 2025 there have been 0 vulnerabilities in Cisco Unified Contact Center Express. Last year, in 2024 Unified Contact Center Express had 1 security vulnerability published. Right now, Unified Contact Center Express is on track to have less security vulnerabilities in 2025 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2025 | 0 | 0.00 |
| 2024 | 1 | 10.00 |
| 2023 | 5 | 5.52 |
| 2022 | 1 | 9.60 |
| 2021 | 3 | 7.40 |
| 2020 | 4 | 7.63 |
| 2019 | 3 | 6.13 |
| 2018 | 4 | 7.70 |
It may take a day or so for new Unified Contact Center Express vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Cisco Unified Contact Center Express Security Vulnerabilities
A vulnerability in multiple Cisco Unified Communications and Contact Center Solutions products could
CVE-2024-20253
10 - Critical
- January 26, 2024
A vulnerability in multiple Cisco Unified Communications and Contact Center Solutions products could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to the improper processing of user-provided data that is being read into memory. An attacker could exploit this vulnerability by sending a crafted message to a listening port of an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of the web services user. With access to the underlying operating system, the attacker could also establish root access on the affected device.
A vulnerability in the Tomcat implementation for Cisco Unified Contact Center Express (Unified CCX) could
CVE-2023-20232
5.3 - Medium
- August 16, 2023
A vulnerability in the Tomcat implementation for Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to cause a web cache poisoning attack on an affected device. This vulnerability is due to improper input validation of HTTP requests. An attacker could exploit this vulnerability by sending crafted HTTP requests to a specific API endpoint on the Unified CCX Finesse Portal. A successful exploit could allow the attacker to cause the internal WebProxy to redirect users to an attacker-controlled host.
Improper Input Validation
A vulnerability in the web-based management interface of Cisco Unified Contact Center Express (Unified CCX) could
CVE-2023-20096
5.4 - Medium
- April 05, 2023
A vulnerability in the web-based management interface of Cisco Unified Contact Center Express (Unified CCX) could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack. This vulnerability is due to insufficient input validation of user-supplied data. An attacker could exploit this vulnerability by entering crafted text into various input fields within the web-based management interface. A successful exploit could allow the attacker to perform a stored XSS attack, which could allow the execution of scripts within the context of other users of the interface.
XSS
Multiple vulnerabilities in Cisco Unified Intelligence Center could
CVE-2023-20061
6.5 - Medium
- March 03, 2023
Multiple vulnerabilities in Cisco Unified Intelligence Center could allow an authenticated, remote attacker to collect sensitive information or perform a server-side request forgery (SSRF) attack on an affected system. Cisco plans to release software updates that address these vulnerabilities.
Exposure of Resource to Wrong Sphere
Multiple vulnerabilities in Cisco Unified Intelligence Center could
CVE-2023-20062
4.3 - Medium
- March 03, 2023
Multiple vulnerabilities in Cisco Unified Intelligence Center could allow an authenticated, remote attacker to collect sensitive information or perform a server-side request forgery (SSRF) attack on an affected system. Cisco plans to release software updates that address these vulnerabilities.
SSRF
A vulnerability in the web-based management interface of Cisco Unified Intelligence Center could
CVE-2023-20058
6.1 - Medium
- January 20, 2023
A vulnerability in the web-based management interface of Cisco Unified Intelligence Center could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information.
XSS
A vulnerability in the web-based management interface of Cisco Unified Contact Center Management Portal (Unified CCMP) and Cisco Unified Contact Center Domain Manager (Unified CCDM) could
CVE-2022-20658
9.6 - Critical
- January 14, 2022
A vulnerability in the web-based management interface of Cisco Unified Contact Center Management Portal (Unified CCMP) and Cisco Unified Contact Center Domain Manager (Unified CCDM) could allow an authenticated, remote attacker to elevate their privileges to Administrator. This vulnerability is due to the lack of server-side validation of user permissions. An attacker could exploit this vulnerability by submitting a crafted HTTP request to a vulnerable system. A successful exploit could allow the attacker to create Administrator accounts. With these accounts, the attacker could access and modify telephony and user resources across all the Unified platforms that are associated to the vulnerable Cisco Unified CCMP. To successfully exploit this vulnerability, an attacker would need valid Advanced User credentials.
Incorrect Resource Transfer Between Spheres
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2
CVE-2021-44228
10 - Critical
- December 10, 2021
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Improper Input Validation
A vulnerability in the web-based management interface of Cisco Unified Intelligence Center could
CVE-2021-1395
6.1 - Medium
- June 16, 2021
A vulnerability in the web-based management interface of Cisco Unified Intelligence Center could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information.
XSS
A vulnerability in the web-based management interface of Cisco Unified Intelligence Center Software could
CVE-2021-1463
6.1 - Medium
- April 08, 2021
A vulnerability in the web-based management interface of Cisco Unified Intelligence Center Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of an affected interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
XSS
A vulnerability in the API subsystem of Cisco Unified Contact Center Express (Unified CCX) could
CVE-2020-3267
7.1 - High
- June 03, 2020
A vulnerability in the API subsystem of Cisco Unified Contact Center Express (Unified CCX) could allow an authenticated, remote attacker to change the availability state of any agent. The vulnerability is due to insufficient authorization enforcement on an affected system. An attacker could exploit this vulnerability by authenticating to an affected system with valid agent credentials and performing a specific API call with crafted input. A successful exploit could allow the attacker to change the availability state of an agent, potentially causing a denial of service condition.
Files or Directories Accessible to External Parties
A vulnerability in the Java Remote Management Interface of Cisco Unified Contact Center Express (Unified CCX) could
CVE-2020-3280
9.8 - Critical
- May 22, 2020
A vulnerability in the Java Remote Management Interface of Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by sending a malicious serialized Java object to a specific listener on an affected system. A successful exploit could allow the attacker to execute arbitrary code as the root user on an affected device.
Marshaling, Unmarshaling
A vulnerability in the Tool for Auto-Registered Phones Support (TAPS) of Cisco Unified Communications Manager (UCM) and Cisco Unified Communications Manager Session Management Edition (SME) could
CVE-2020-3177
7.5 - High
- April 15, 2020
A vulnerability in the Tool for Auto-Registered Phones Support (TAPS) of Cisco Unified Communications Manager (UCM) and Cisco Unified Communications Manager Session Management Edition (SME) could allow an unauthenticated, remote attacker to conduct directory traversal attacks on an affected device. The vulnerability is due to insufficient validation of user-supplied input to the TAPS interface of the affected device. An attacker could exploit this vulnerability by sending a crafted request to the TAPS interface. A successful exploit could allow the attacker to read arbitrary files in the system.
Directory traversal
A vulnerability in the web-based management interface of Cisco Finesse could
CVE-2019-15278
6.1 - Medium
- January 26, 2020
A vulnerability in the web-based management interface of Cisco Finesse could allow an unauthenticated, remote attacker to bypass authorization and access sensitive information related to the device. The vulnerability exists because the software fails to sanitize URLs before it handles requests. An attacker could exploit this vulnerability by submitting a crafted URL. A successful exploit could allow the attacker to gain unauthorized access to sensitive information.
XSS
A vulnerability in Cisco Unified Contact Center Express (UCCX) Software could
CVE-2019-15259
6.1 - Medium
- October 02, 2019
A vulnerability in Cisco Unified Contact Center Express (UCCX) Software could allow an unauthenticated, remote attacker to conduct an HTTP response splitting attack. The vulnerability is due to insufficient input validation of some parameters that are passed to the web server of the affected system. An attacker could exploit this vulnerability by convincing a user to follow a malicious link or by intercepting a user request on an affected device. A successful exploit could allow the attacker to perform cross-site scripting attacks, web cache poisoning, access sensitive browser-based information, and similar exploits.
Improper Input Validation
A vulnerability in Cisco Unified Contact Center Express (Unified CCX) could
CVE-2019-12633
7.5 - High
- September 05, 2019
A vulnerability in Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to bypass access controls and conduct a server-side request forgery (SSRF) attack on a targeted system. The vulnerability is due to improper validation of user-supplied input on the affected system. An attacker could exploit this vulnerability by sending the user of the web application a crafted request. If the request is processed, the attacker could access the system and perform unauthorized actions.
SSRF
A vulnerability in the web-based management interface of Cisco Unified Contact Center Express (Unified CCX) could
CVE-2019-12626
4.8 - Medium
- August 21, 2019
A vulnerability in the web-based management interface of Cisco Unified Contact Center Express (Unified CCX) could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker needs valid administrator credentials.
Improper Input Validation
Multiple vulnerabilities in the web-based management interface of Cisco Unified Contact Center Express (Unified CCX) could
CVE-2018-0400
6.1 - Medium
- July 18, 2018
Multiple vulnerabilities in the web-based management interface of Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. Cisco Bug IDs: CSCvg70904.
XSS
Multiple vulnerabilities in the web-based management interface of Cisco Unified Contact Center Express (Unified CCX) could
CVE-2018-0403
9.8 - Critical
- July 18, 2018
Multiple vulnerabilities in the web-based management interface of Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to retrieve a cleartext password. Cisco Bug IDs: CSCvg71040.
SSRF
Multiple vulnerabilities in the web-based management interface of Cisco Unified Contact Center Express (Unified CCX) could
CVE-2018-0402
8.8 - High
- July 18, 2018
Multiple vulnerabilities in the web-based management interface of Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack. Cisco Bug IDs: CSCvg70921.
Session Riding
Multiple vulnerabilities in the web-based management interface of Cisco Unified Contact Center Express (Unified CCX) could
CVE-2018-0401
6.1 - Medium
- July 18, 2018
Multiple vulnerabilities in the web-based management interface of Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. Cisco Bug IDs: CSCvg70967.
XSS
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Cisco Unified Ip Interactive Voice Response or by Cisco? Click the Watch button to subscribe.
