Cisco Finesse OpenSocial Gadget Editor Cross-Site Scripting Vulnerability

Vulnerability

The vulnerability exists in the OpenSocial Gadget Editor component of the web-based management interface of Cisco Finesse and Cisco Unified Customer Voice Portal (CVP). The interface fails to properly validate user-supplied input, allowing injection of malicious script. Affected versions: Cisco Finesse releases earlier than 12.0(1) ES3 and 12.5(1); Cisco Unified CVP releases 12.6(2) ES4 through 12.6(2) ES17. [1]

Exploitation

An unauthenticated, remote attacker can exploit this vulnerability by persuading a user of the interface to click a crafted link. No authentication is required, and the attacker does not need any prior access. The user interaction is required (clicking the link). [1]

Impact

Successful exploitation allows the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information, such as session tokens or cookies. This could lead to further compromise of the system. [1]

Mitigation

Cisco has released software updates to address this vulnerability. For Cisco Finesse, upgrade to Release 12.0(1) ES3 or later, or Release 12.5(1) or later. For Cisco Unified CVP, upgrade to a fixed release beyond 12.6(2) ES17. There are no workarounds. [1]