CVE-2022-20631
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
A vulnerability in the web-based management interface of Cisco ECE could allow an unauthenticated, remote attacker to conduct an XSS attack against a user of the interface of an affected device. The vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by inserting malicious script code in a chat window. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Cisco | Cisco Enterprise Chat and Email | 11.6(1)_ES3 | affected |
| Cisco | Cisco Enterprise Chat and Email | 11.6(1)_ES4 | affected |
| Cisco | Cisco Enterprise Chat and Email | 12.0(1)_ES6 | affected |
| Cisco | Cisco Enterprise Chat and Email | 11.6(1)_ES8 | affected |
| Cisco | Cisco Enterprise Chat and Email | 12.0(1)_ES5a | affected |
| Cisco | Cisco Enterprise Chat and Email | 11.6(1)_ES9 | affected |
| Cisco | Cisco Enterprise Chat and Email | 12.0(1)_ES6_ET1 | affected |
| Cisco | Cisco Enterprise Chat and Email | 11.6(1)_ES6 | affected |
| Cisco | Cisco Enterprise Chat and Email | 11.6(1)_ES5 | affected |
| Cisco | Cisco Enterprise Chat and Email | 12.5(1)_ET1 | affected |
| Cisco | Cisco Enterprise Chat and Email | 12.5(1) | affected |
| Cisco | Cisco Enterprise Chat and Email | 12.5(1)_ES3_ET1 | affected |
| Cisco | Cisco Enterprise Chat and Email | 12.0(1)_ES3 | affected |
| Cisco | Cisco Enterprise Chat and Email | 11.6(1)_ES11 | affected |
| Cisco | Cisco Enterprise Chat and Email | 12.0(1)_ES4 | affected |
| Cisco | Cisco Enterprise Chat and Email | 12.0(1)_ES5 | affected |
| Cisco | Cisco Enterprise Chat and Email | 11.6(1)_ES2 | affected |
| Cisco | Cisco Enterprise Chat and Email | 11.6(1)_ES9a | affected |
| Cisco | Cisco Enterprise Chat and Email | 11.6(1)_ES10 | affected |
| Cisco | Cisco Enterprise Chat and Email | 12.0(1)_ES1 | affected |
| Cisco | Cisco Enterprise Chat and Email | 12.0(1) | affected |
| Cisco | Cisco Enterprise Chat and Email | 12.5(1)_ES3 | affected |
| Cisco | Cisco Enterprise Chat and Email | 12.6(1) | affected |
| Cisco | Cisco Enterprise Chat and Email | 11.5(1) | affected |
| Cisco | Cisco Enterprise Chat and Email | 12.0(1)_ES2 | affected |
| Cisco | Cisco Enterprise Chat and Email | 11.6(1)_ES7 | affected |
| Cisco | Cisco Enterprise Chat and Email | 12.5(1)_ES2 | affected |
| Cisco | Cisco Enterprise Chat and Email | 12.6(1)_ET1 | affected |
| Cisco | Cisco Enterprise Chat and Email | 11.6(1) | affected |
| Cisco | Cisco Enterprise Chat and Email | 12.5(1)_ES1 | affected |
| Cisco | Cisco Enterprise Chat and Email | 11.5(1)_ES1_ET1 | affected |
| Cisco | Cisco Enterprise Chat and Email | 11.6(1)_ES1 | affected |
| Cisco | Cisco Enterprise Chat and Email | 11.6(1)_ES8_ET1 | affected |
| Cisco | Cisco Enterprise Chat and Email | 11.5(1)_ES1 | affected |
Weaknesses
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.