CVE-2022-37462

Name of the Vulnerable Software and Affected Versions Upstream Works Agent Desktop for Cisco Finesse versions 4.2.12 and earlier, 5.0

Description A stored Cross-Site Scripting (XSS) issue in the Chat gadget allows remote attackers to inject arbitrary web script or HTML via the AttachmentId in the file-upload details. This could enable attackers to perform cross-site scripting attacks.

Recommendations For versions 4.2.12 and earlier, and version 5.0, consider disabling the file-upload feature in the Chat gadget until a patch is available to prevent exploitation of the AttachmentId variable. Restrict access to the Chat gadget to minimize the risk of cross-site scripting attacks. Avoid using the AttachmentId variable in the file-upload details until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.