Description
A vulnerability in the web UI of Cisco Enterprise Chat and Email (ECE) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web UI does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To successfully exploit this vulnerability, an attacker would need valid agent credentials.
Problem types
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Product status
11.6(1)
11.6(1)_ES2
11.6(1)_ES3
11.6(1)_ES4
11.6(1)_ES5
11.6(1)_ES6
11.6(1)_ES10
11.6(1)_ES11
11.6(1)_ES7
11.6(1)_ES8
11.6(1)_ES9
11.6(1)_ES9a
11.6(1)_ES12
12.0(1)
12.0(1)_ES1
12.0(1)_ES2
12.0(1)_ES3
12.0(1)_ES4
12.0(1)_ES5
12.0(1)_ES5a
12.0(1)_ES6
12.0(1)_ES6_ET1
12.0(1)_ES6_ET2
12.0(1)_ES6_ET3
12.0(1)_ES7
12.0(1)_ES7_ET1
12.5(1)
12.5(1)_ES1
12.5(1)_ES2
12.5(1)_ES3
12.5(1)_ES3_ET1
12.5(1)_ET1
12.5(1)_ES4
12.5(1)_ES3_ET2
12.5(1)_ES4_ET1
12.5(1)_ES5
12.5(1)_ES5_ET1
12.5(1)_ES6
12.5(1)_ES7
12.5(1)_ES8
12.6(1)
12.6(1)_ET1
12.6(1)_ET2
12.6(1)_ES1
12.6(1)_ET3
12.6(1)_ES1_ET1
12.6(1)_ES2
12.6(1)_ES3
12.6(1)_ES4
12.6(1)_ES4_ET1
12.6(1)_ES5
12.6(1)_ES5_ET1
12.6(1)_ES5_ET2
12.6(1)_ES6
12.6(1)_ES6_ET1
12.6(1)_ES6_ET2
12.6_ES2_ET1
12.6_ES2_ET2
12.6_ES2_ET3
12.6_ES2_ET4
12.6_ES3_ET1
12.6_ES3_ET2
References
sec.cloudapps.cisco.com/...dvisory/cisco-sa-ece-xss-CSQxgxfM (cisco-sa-ece-xss-CSQxgxfM)
