Cisco Finesse Vulnerabilities Let Attackers Perform Stored XSS Attack

by Esmeralda McKenzie
Cisco Finesse Vulnerabilities Let Attackers Perform Stored XSS Attack

Cisco Finesse Vulnerabilities Let Attackers Perform Stored XSS Attack

Cisco Finesse Vulnerabilities Let Attackers Make Stored XSS Assault

Cisco has issued a security advisory detailing a pair of vulnerabilities in Cisco Finesse’s web-basically basically based management interface.

These vulnerabilities, identified as CVE-2024-20404 and CVE-2024-20405, could per chance allow unauthenticated, some distance away attackers to invent a saved erroneous-situation scripting (XSS) attack.

EHA

The vulnerabilities in demand occupy a a lot away file inclusion (RFI) vulnerability and a server-side seek recordsdata from forgery (SSRF) attack.

Particularly, the saved XSS attack will doubtless be performed by exploiting the RFI vulnerability, while the SSRF attack will doubtless be performed on an affected system thru Cisco Finesse’s web-basically basically based management interface.

Cisco has classified these vulnerabilities’ Security Impact Ranking (SIR) as Medium, basically as a result of the restricted scope of recordsdata accessible to the attacker.

The General Vulnerability Scoring System (CVSS) inferior ranking for these vulnerabilities is 7.2, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N.

This implies that the vulnerabilities are community exploitable, require low attack complexity, and lift out no longer require privileges or person interaction however occupy a restricted affect on confidentiality and integrity.

Affected Products & Mitigation

At the time of e-newsletter, the vulnerabilities affected the following Cisco Finesse releases:

  • 11.6(1) ES11 and earlier
  • 12.6(2) ES01 and earlier

Cisco has launched application updates to tackle these vulnerabilities. Users are told emigrate to the mounted releases to mitigate the risks associated with these vulnerabilities. The first mounted releases are:

  • 11.6(1) ES11 and earlier: Migrate to a mounted starting up.
  • 12.6(2) ES01 and earlier: Update to 12.6(2) ES03.

No workarounds are readily available for these vulnerabilities, making it the biggest for users to exhaust the offered updates.

These vulnerabilities highlight the importance of maintaining application updated and applying security patches promptly. Cisco’s proactive starting up of updates aims to supply protection to users from doable exploitation by malicious actors. Users can refer to the unswerving Cisco Security Advisory here for additional detailed recordsdata.

Source credit : cybersecuritynews.com

Related Posts