CVE-2019-12707

Name of the Vulnerable Software and Affected Versions Cisco Unified Communications Manager versions (affected versions not specified) Cisco Unified Communications Manager SME versions (affected versions not specified) Unified Communications Manager IM and Presence Service versions (affected versions not specified) Unity Connection versions (affected versions not specified)

Description The issue exists due to insufficient protection of the web page structure in the web-based interface of the affected software. An attacker could exploit this by persuading a user to click a specially crafted link, potentially allowing the execution of arbitrary code or access to confidential information. The vulnerability is also described as allowing an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface.

Recommendations For Cisco Unified Communications Manager, consider disabling access to the web-based interface until a patch is available. For Cisco Unified Communications Manager SME, restrict access to the web-based interface to minimize the risk of exploitation. For Unified Communications Manager IM and Presence Service, avoid using the web-based interface for sensitive operations until the issue is resolved. For Unity Connection, as a temporary workaround, consider implementing additional validation of user-supplied input to the web-based interface. At the moment, there is no information about a newer version that contains a fix for this vulnerability.