Cisco Unified CM IM&P Web UI XSS Remote Vulnerability
CVE-2024-20310 Published on April 3, 2024

A vulnerability in the web-based interface of Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against an authenticated user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading an authenticated user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information.

NVD

Vulnerability Analysis

CVE-2024-20310 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

NONE

User Interaction:

REQUIRED

Scope:

CHANGED

Confidentiality Impact:

LOW

Integrity Impact:

LOW

Availability Impact:

NONE

Weakness Type

Relative Path Traversal

The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.

Products Associated with CVE-2024-20310

Want to know whenever a new CVE is published for Cisco Unified Communications Manager Im Presence Service? stack.watch will email you.

Cisco Unified Communications Manager Im Presence Service

Affected Versions

Cisco IOS XE Software:

Version N/A is affected.

Cisco Unified Communications Manager IM and Presence Service:

Version 10.5(1) is affected.
Version 10.5(2) is affected.
Version 10.5(2a) is affected.
Version 10.5(2b) is affected.
Version 10.5(2)SU3 is affected.
Version 10.5(2)SU2a is affected.
Version 10.5(2)SU4a is affected.
Version 10.5(2)SU4 is affected.
Version 10.5(1)SU3 is affected.
Version 10.5(1)SU1 is affected.
Version 10.5(2)SU1 is affected.
Version 10.5(2)SU2 is affected.
Version 10.5(1)SU2 is affected.
Version 11.5(1) is affected.
Version 11.5(1)SU1 is affected.
Version 11.5(1)SU2 is affected.
Version 11.5(1)SU3 is affected.
Version 11.5(1)SU3a is affected.
Version 11.5(1)SU4 is affected.
Version 11.5(1)SU5 is affected.
Version 11.5(1)SU5a is affected.
Version 11.5(1)SU6 is affected.
Version 11.5(1)SU7 is affected.
Version 11.5(1)SU8 is affected.
Version 11.5(1)SU9 is affected.
Version 11.5(1)SU10 is affected.
Version 11.5(1)SU11 is affected.
Version 11.0(1) is affected.
Version 11.0(1)SU1 is affected.
Version 12.5(1) is affected.
Version 12.5(1)SU1 is affected.
Version 12.5(1)SU2 is affected.
Version 12.5(1)SU3 is affected.
Version 12.5(1)SU4 is affected.
Version 12.5(1)SU5 is affected.
Version 12.5(1)SU6 is affected.
Version 12.5(1)SU7 is affected.
Version 14 is affected.
Version 14SU1 is affected.
Version 14SU2 is affected.
Version 14SU2a is affected.
Version 10.0(1) is affected.
Version 10.0(1)SU1 is affected.
Version 10.0(1)SU2 is affected.