CVE-2012-4259
Description
Cross-site scripting (XSS) vulnerability in the contacts in (1) XPhone UC Web and the (2) web frontend for XPhone Virtual Directory in C4B XPhone Unified Communications (UC) 2011 Web 4.1.890S R1 allows remote attackers to inject arbitrary web script or HTML via the company name. NOTE: some of these details are obtained from third party information.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Persistent XSS in C4B XPhone UC Web 4.1.890S R1 allows remote attackers to inject arbitrary script via company name in contacts, executed on every client searching for the user.
Vulnerability
A persistent cross-site scripting (XSS) vulnerability exists in the contacts module of C4B XPhone UC Web version 4.1.890SR1 (and possibly earlier versions). The company name field is not properly sanitized, allowing an attacker to inject arbitrary script code. The injection can be performed via a connected groupware application such as Microsoft Outlook or IBM Lotus Notes that synchronizes contact data with the XPhone system [1].
Exploitation
An attacker with the ability to modify contact information through a connected groupware application can inject malicious script into the company name field. When other users search for or view details of the manipulated contact, the injected script executes in their browser. No authentication is required for the victim; the attack is triggered automatically upon viewing the contact [1].
Impact
Successful exploitation allows the attacker to execute arbitrary HTML and JavaScript in the context of the victim's browser. This can lead to information disclosure, session hijacking, or other client-side attacks. The attacker does not gain direct server-side access but can compromise user sessions and data [1].
Mitigation
No official patch or fixed version is mentioned in the available references. The vendor may have released an update after the disclosure date (2012-04-24), but it is not confirmed. As a workaround, administrators should sanitize input fields and consider disabling groupware synchronization if not essential. This vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- archives.neohapsis.com/archives/bugtraq/2012-04/0216.htmlnvdExploit
- security.inshell.net/advisory/16nvdExploit
- www.exploit-db.com/exploits/18802nvdExploit
- www.securityfocus.com/bid/53283nvdExploit
- secunia.com/advisories/48979nvdVendor Advisory
- osvdb.org/81559nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/75221nvd
News mentions
0No linked articles in our index yet.