Posts for: #Cisco Unified Communications Manager

Cisco Unified Communications Manager Stored Cross-Site Scripting Vulnerability

#Cisco  #Cisco Unified Communications Manager 
🚨 SEVERITY: MEDIUM β€” CVSS 4.8 Security Advisory

TL;DR πŸ“Œ

A stored cross-site scripting (XSS) vulnerability has been identified in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME). This vulnerability allows an authenticated remote attacker to execute arbitrary script code, potentially accessing sensitive information. Cisco has released fixed software updates, but no workarounds are available.

What happened πŸ•΅οΈβ€β™‚οΈ

A vulnerability in the web-based management interface of Cisco Unified Communications Manager could allow an authenticated attacker to conduct a cross-site scripting (XSS) attack. This occurs because the interface fails to properly validate user input, enabling the injection of malicious code. Successful exploitation could lead to the execution of arbitrary scripts in the context of the affected interface, compromising sensitive, browser-based information.

[]

Cisco Unified Communications Manager Cross-Site Request Forgery Vulnerability

#Cisco  #Cisco Unified Communications Manager 
🚨 SEVERITY: MEDIUM β€” CVSS 4.3 Security Advisory

TL;DR πŸ“Œ

A medium-severity Cross-Site Request Forgery (CSRF) vulnerability has been identified in Cisco Unified Communications Manager (Unified CM) and Unified CM Session Management Edition (SME). An unauthenticated attacker could exploit this vulnerability by tricking a user into clicking a malicious link, potentially allowing the attacker to perform actions with the user’s privileges. There are no workarounds available, and affected users should upgrade to fixed software versions.

[]

Cisco Unified Communications Manager Static SSH Credentials Vulnerability

#Cisco  #Cisco Unified Communications Manager 
🚨 SEVERITY: CRITICAL β€” CVSS 10.0 Security Advisory

TL;DR πŸ“Œ

  • A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to log in to an affected device using the root account, which has default, static credentials that cannot be changed or deleted. This vulnerability is due to the presence of static user credentials for…
  • No fixed release listed yet; apply mitigations and monitor.
  • Workarounds are documented in the advisory.
  • CVEs: CVE-2025-20309.

What happened πŸ•΅οΈβ€β™‚οΈ

A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to log in to an affected device using the root account, which has default, static credentials that cannot be changed or deleted.

[]