CVE-2022-20788: Cisco Unified Communications Products Cross-Site Scripting Vulnerability
First published: Thu Apr 21 2022(Updated: )
A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified CM Session Management Edition (Unified CM SME), and Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information.
Credit: ykramarz@cisco.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cisco Unified Communications Manager | >=11.5\(1\)<11.5\(1\)su11 | |
| Cisco Unified Communications Manager | >=11.5\(1\)<11.5\(1\)su11 | |
| Cisco Unified Communications Manager | >=12.5\(1\)<12.5\(1\)su6 | |
| Cisco Unified Communications Manager | >=12.5\(1\)<12.5\(1\)su6 | |
| Cisco Unified Communications Manager | >=14.0<14su1 | |
| Cisco Unified Communications Manager | >=14.0<14su1 | |
| Cisco Unity Connection | >=12.5\(1\)<12.5\(1\)su6 | |
| Cisco Unity Connection | >=14.0<14su1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2022-20788?
CVE-2022-20788 is a vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified CM Session Management Edition (Unified CM SME), and Cisco Unity Connection.
How does CVE-2022-20788 affect Cisco Unified Communications Manager?
CVE-2022-20788 allows an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against Cisco Unified Communications Manager.
What is the severity of CVE-2022-20788?
CVE-2022-20788 has a severity rating of 6.1 (Medium).
Which versions of Cisco Unified Communications Manager are affected by CVE-2022-20788?
CVE-2022-20788 affects Cisco Unified Communications Manager versions 11.5(1) to 11.5(1)su11, 12.5(1) to 12.5(1)su6, and 14.0 to 14su1.
How can I fix CVE-2022-20788?
To fix CVE-2022-20788, users should upgrade to the fixed release as indicated in the Cisco Security Advisory.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/weakness
- agent/author
- agent/last-modified-date
- agent/severity
- agent/title
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- vendor/cisco
- canonical/cisco unified communications manager
- version/cisco unified communications manager/11.5\(1\)
- version/cisco unified communications manager/12.5\(1\)
- version/cisco unified communications manager/14.0
- canonical/cisco unity connection
- version/cisco unity connection/12.5\(1\)
- version/cisco unity connection/14.0