CVE-2024-20511

Published: Nov 6, 2024Modified: Aug 7, 2025

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: psirt@cisco.com (Secondary)

Description

A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

Affected (17)

Products: Cisco: Unified Communications Manager

Cisco

1 product

Unified Communications Manager

Configuration A

17 vulnerable

Vulnerable Software	Affected Versions
Cisco Unified Communications Manager	Version 12.0(1)su1
Cisco Unified Communications Manager	Version 12.0(1)su2
Cisco Unified Communications Manager	Version 12.0(1)su3
Cisco Unified Communications Manager	Version 12.0(1)su4
Cisco Unified Communications Manager	Version 12.0(1)su5
Cisco Unified Communications Manager	Version 12.5(1)
Cisco Unified Communications Manager	Version 12.5(1)su1
Cisco Unified Communications Manager	Version 12.5(1)su2
Cisco Unified Communications Manager	Version 12.5(1)su3
Cisco Unified Communications Manager	Version 12.5(1)su4
Cisco Unified Communications Manager	Version 12.5(1)su5
Cisco Unified Communications Manager	Version 12.5(1)su6
Cisco Unified Communications Manager	Version 12.5(1)su7
Cisco Unified Communications Manager	Version 12.5(1)su7a
Cisco Unified Communications Manager	Version 12.5(1)su8
Cisco Unified Communications Manager	Version 12.5(1)su8a
Cisco Unified Communications Manager	Version 12.5(1)su9

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (1)

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-xss-SVCkMMW

Source: psirt@cisco.com

Vendor Advisory

Timeline

No history available yet.