Jake Reynolds

**Name of the Vulnerable Software and Affected Versions** Cisco CallManager versions 3.3 before 3.3(5)SR3 Cisco CallManager versions 4.1 before 4.1(3)SR4 Cisco CallManager versions 4.2 before 4.2(3) Cisco CallManager versions 4.3 before 4.3(1) **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML. This is achieved via the `pattern` parameter in "ccmadmin/phonelist.asp" and arbitrary parameters in "ccmuser/logon.asp". **Recommendations** For Cisco CallManager version 3.3, update to 3.3(5)SR3 or later. For Cisco CallManager version 4.1, update to 4.1(3)SR4 or later. For Cisco CallManager version 4.2, update to 4.2(3) or later. For Cisco CallManager version 4.3, update to 4.3(1) or later.