Stanislaw Koza

**Name of the Vulnerable Software and Affected Versions** Cisco TelePresence Management Suite (TMS) Software (affected versions not specified) **Description** A vulnerability in the web-based management interface could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This issue is due to insufficient input validation by the web-based management interface. An attacker could exploit this by inserting malicious data in a specific data field in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco TelePresence Management Suite (affected versions not specified) **Description** The issue exists due to insufficient input validation by the web-based management interface, allowing an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack. This could enable the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. The attacker could exploit this by inserting malicious data in a specific data field in the interface. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Identity Services Engine (ISE) (affected versions not specified) **Description** The issue exists due to the lack of protection of the web page structure in the Cisco Identity Services Engine (ISE) management interface. This could allow a remote attacker to perform a stored cross-site scripting (XSS) attack against a user of the interface on an affected device. The vulnerability is caused by the web-based management interface not properly validating user-supplied input, allowing an attacker to inject malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) (affected versions not specified) **Description** A vulnerability in the web-based management interface could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. This vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by authenticating to the application as a user with read-only or higher privileges and sending crafted HTTP requests to an affected system. A successful exploit could allow the attacker to read or modify data in the underlying database or elevate their privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.