CVE-2017-12212

Name of the Vulnerable Software and Affected Versions Cisco Unity Connection version 10.5(2)

Description A vulnerability in the web framework of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the web interface of an affected system. This is due to insufficient input validation of certain parameters passed via the HTTP GET and HTTP POST methods. An attacker could execute arbitrary script or HTML code in the user's browser by convincing a user to follow an attacker-supplied link.

Recommendations For Cisco Unity Connection version 10.5(2), update to a version that includes the fix for Cisco Bug ID CSCvf25345 to resolve the issue. As a temporary workaround, consider restricting access to the web interface to minimize the risk of exploitation. Avoid using the affected web interface until the issue is resolved.