CVE-2026-20109

Summary

Multiple vulnerabilities in the web-based management interface of Cisco Packaged Contact Center Enterprise (Packaged CCE) and Cisco Unified Contact Center Enterprise (Unified CCE) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. 

These vulnerabilities exist because the web-based management interface does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit these vulnerabilities, the attacker must have valid administrative credentials.

Affected Software

VendorProductVersion RangeStatus
CiscoCisco Packaged Contact Center Enterprise12.5(1)affected
CiscoCisco Packaged Contact Center Enterprise11.0(1)affected
CiscoCisco Packaged Contact Center Enterprise12.0(1)affected
CiscoCisco Packaged Contact Center Enterprise11.0(2)affected
CiscoCisco Packaged Contact Center Enterprise11.5(1)affected
CiscoCisco Packaged Contact Center Enterprise10.5(1)affected
CiscoCisco Packaged Contact Center Enterprise10.5(2)affected
CiscoCisco Packaged Contact Center Enterprise11.6(2)affected
CiscoCisco Packaged Contact Center Enterprise10.5(1)_ES7affected
CiscoCisco Packaged Contact Center Enterprise11.6(1)affected
CiscoCisco Packaged Contact Center Enterprise10.5(2)_ES8affected
CiscoCisco Packaged Contact Center Enterprise12.6(1)affected
CiscoCisco Packaged Contact Center Enterprise12.5(2)affected
CiscoCisco Packaged Contact Center Enterprise12.6(2)affected
CiscoCisco Packaged Contact Center Enterprise15.0(1)affected
CiscoCisco Unified Contact Center Enterprise12.6(1)ES3affected
CiscoCisco Unified Contact Center Enterprise12.6(1)ES1affected
CiscoCisco Unified Contact Center Enterprise12.6(1)affected
CiscoCisco Unified Contact Center Enterprise12.6(1)ES2affected
CiscoCisco Unified Contact Center Enterprise12.6(1)SecurityPatchaffected
CiscoCisco Unified Contact Center Enterprise12.5(1)ES1affected
CiscoCisco Unified Contact Center Enterprise12.5(1)affected
CiscoCisco Unified Contact Center Enterprise12.6(1)ES4affected
CiscoCisco Unified Contact Center Enterprise11.0(1)affected
CiscoCisco Unified Contact Center Enterprise10.5(1)affected
CiscoCisco Unified Contact Center Enterprise12.0(1)affected
CiscoCisco Unified Contact Center Enterprise10.5affected
CiscoCisco Unified Contact Center Enterprise11.0affected
CiscoCisco Unified Contact Center Enterprise11.5affected
CiscoCisco Unified Contact Center Enterprise12.6(2)affected
CiscoCisco Unified Contact Center Enterprise12.6(2)ES1affected
CiscoCisco Unified Contact Center Enterprise12.6(2)ES2affected
CiscoCisco Unified Contact Center Enterprise15.0(1)affected
CiscoCisco Unified Contact Center Enterprise12.6(2)ES3affected
CiscoCisco Unified Contact Center Enterprise15.0(1)ET01affected
CiscoCisco Unified Contact Center Enterprise15.0(1)_SP1affected
CiscoCisco Unified Contact Center Enterprise15.0(1)ES202508affected
CiscoCisco Unified Contact Center Enterprise12.6(2)_ESaffected

Weaknesses

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References