CVE-2020-3346: Cisco Unified Communications Manager Cross-Site Scripting Vulnerability
First published: Mon Aug 17 2020(Updated: )
A vulnerability in the web UI of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability exists because the web UI does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information.
Credit: ykramarz@cisco.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cisco Unified Communications Manager | >=10.5\(2\)<=10.5\(2\)su10 | |
| Cisco Unified Communications Manager | >=10.5\(2\)<=10.5\(2\)su10 | |
| Cisco Unified Communications Manager | >=11.5\(1\)<=11.5\(1\)su8 | |
| Cisco Unified Communications Manager | >=11.5\(1\)<=11.5\(1\)su8 | |
| Cisco Unified Communications Manager | =12.0\(1\) | |
| Cisco Unified Communications Manager | =12.0\(1\) | |
| Cisco Unified Communications Manager | =12.5\(1\) | |
| Cisco Unified Communications Manager | =12.5\(1\) |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2020-3346?
CVE-2020-3346 is a vulnerability in the web UI of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) that could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.
How does CVE-2020-3346 affect Cisco Unified Communications Manager?
CVE-2020-3346 affects Cisco Unified Communications Manager (Unified CM) versions 10.5(2) to 11.5(1) and versions 12.0(1) to 12.5(1).
What is the severity of CVE-2020-3346?
CVE-2020-3346 has a severity score of 6.1 (Medium).
What is the Common Weakness Enumeration (CWE) for CVE-2020-3346?
The Common Weakness Enumeration (CWE) for CVE-2020-3346 is CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').
How do I fix CVE-2020-3346?
To fix CVE-2020-3346, Cisco has released software updates. Please refer to the Cisco Security Advisory for more details.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/title
- agent/author
- agent/weakness
- agent/references
- agent/last-modified-date
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- vendor/cisco
- canonical/cisco unified communications manager
- version/cisco unified communications manager/10.5\(2\)
- version/cisco unified communications manager/10.5\(2\)su10
- version/cisco unified communications manager/11.5\(1\)
- version/cisco unified communications manager/11.5\(1\)su8
- version/cisco unified communications manager/12.0\(1\)
- version/cisco unified communications manager/12.5\(1\)