CVE-2019-1702

Name of the Vulnerable Software and Affected Versions Cisco Enterprise Chat and Email version 11.6(1)

Description The issue is related to insufficient validation of user-supplied input by the web-based management interface, allowing an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack. This could be achieved by injecting malicious code in a chat window or by sending a crafted link to a user of the interface. The attacker must persuade the user to click the crafted link or open the chat window containing the malicious code. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

Recommendations For version 11.6(1), consider disabling the web-based management interface until a patch is available to prevent exploitation. Restrict access to the interface to minimize the risk of attack. Avoid clicking on crafted links or opening chat windows from untrusted sources to reduce the risk of XSS attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.