必火网络安全培训 > 安全漏洞 > 正文

Cisco Unified Communications Manager跨站脚本执行漏洞(CVE-2020-3346)

Cisco Unified Communications Manager跨站脚本执行漏洞(CVE-2020-3346)


发布日期:2020-08-05
更新日期:2020-09-04

受影响系统:Cisco Unified Communications Manager 12.5(1)
Cisco Unified Communications Manager 12.0(1)
Cisco Unified Communications Manager 11.5(1)
Cisco Unified Communications Manager 10.5(2)
Cisco Unified Communications Manager Session Management Edition 12.5(1)
Cisco Unified Communications Manager Session Management Edition 12.0(1)
Cisco Unified Communications Manager Session Management Edition 11.5(1)
Cisco Unified Communications Manager Session Management Edition 10.5(2)描述:CVE(CAN) ID: CVE-2020-3346

Cisco Unified Communications Manager是一款统一通信系统中的呼叫处理组件。该组件提供了一种可扩展、可分布和高可用的企业IP电话呼叫处理解决方案。Unified Communications Manager Session Management Edition是Unified Communications Manager的会话管理版。
Cisco Unified Communications Manager (Unified CM)10.5(2)、11.5(1)、12.0(1)、12.5(1)和Cisco Unified Communications Manager Session Management Edition (Unified CM SME) 10.5(2)、11.5(1)、12.0(1)、12.5(1)版本的Web管理界面存在跨站脚本执行漏洞。该漏洞源于Web管理界面未对输入进行正确验证。未经身份认证的远程攻击者可利用该漏洞通过诱使用户单击恶意链接在受影响设备上执行任意脚本代码,或访问基于浏览器的敏感信息。

<*来源:David Rutishauser (Luzerner Psychiatrie)
        Chris Whipp
  
  链接:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-selfcare-drASc7s
*>

建议:厂商补丁:

Cisco
-----
Cisco已经为此发布了一个安全公告(cisco-sa-cucm-selfcare-drASc7sr)以及相应补丁:
cisco-sa-cucm-selfcare-drASc7sr:Cisco Unified Communications Manager Cross-Site Scripting Vulnerability
链接:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-selfcare-drASc7s

本文为原创,版权归 必火网络安全培训所有。禁止转载,后果自负。