6.1

CVE-2026-20116

Medienbericht
A vulnerability in the web-based management interface of  Cisco Finesse, Cisco Packaged Contact Center Enterprise (Packaged CCE), Cisco Unified Contact Center Enterprise (Unified CCE), Cisco Unified Contact Center Express (Unified CCX), and Cisco Unified Intelligence Center could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface.

This vulnerability exists because the web-based management interface of an affected system does not sufficiently validate user-supplied input. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerCisco
Produkt Cisco Unified Contact Center Express
Default Statusunknown
Version 10.5(1)SU1
Status affected
Version 10.6(1)
Status affected
Version 11.6(1)
Status affected
Version 10.6(1)SU1
Status affected
Version 10.6(1)SU3
Status affected
Version 11.6(2)
Status affected
Version 12.0(1)
Status affected
Version 11.0(1)SU1
Status affected
Version 11.5(1)SU1
Status affected
Version 10.5(1)
Status affected
Version 12.5(1)
Status affected
Version 12.5(1)SU1
Status affected
Version 12.5(1)SU2
Status affected
Version 12.5(1)SU3
Status affected
Version 12.5(1)_SU03_ES01
Status affected
Version 12.5(1)_SU03_ES02
Status affected
Version 12.5(1)_SU02_ES03
Status affected
Version 12.5(1)_SU02_ES04
Status affected
Version 12.5(1)_SU02_ES02
Status affected
Version 12.5(1)_SU01_ES02
Status affected
Version 12.5(1)_SU01_ES03
Status affected
Version 12.5(1)_SU02_ES01
Status affected
Version 11.6(2)ES07
Status affected
Version 11.6(2)ES08
Status affected
Version 12.5(1)_SU01_ES01
Status affected
Version 12.0(1)ES04
Status affected
Version 12.5(1)ES02
Status affected
Version 12.5(1)ES03
Status affected
Version 11.6(2)ES06
Status affected
Version 12.5(1)ES01
Status affected
Version 12.0(1)ES03
Status affected
Version 12.0(1)ES01
Status affected
Version 11.6(2)ES05
Status affected
Version 12.0(1)ES02
Status affected
Version 11.6(2)ES04
Status affected
Version 11.6(2)ES03
Status affected
Version 11.6(2)ES02
Status affected
Version 11.6(2)ES01
Status affected
Version 10.6(1)SU3ES03
Status affected
Version 11.0(1)SU1ES03
Status affected
Version 10.6(1)SU3ES01
Status affected
Version 10.5(1)SU1ES10
Status affected
Version 11.5(1)SU1ES03
Status affected
Version 11.6(1)ES02
Status affected
Version 11.5(1)ES01
Status affected
Version 10.6(1)SU2
Status affected
Version 10.6(1)SU2ES04
Status affected
Version 11.6(1)ES01
Status affected
Version 10.6(1)SU3ES02
Status affected
Version 11.5(1)SU1ES02
Status affected
Version 11.5(1)SU1ES01
Status affected
Version 11.0(1)SU1ES02
Status affected
Version 12.5(1)_SU03_ES03
Status affected
Version 12.5(1)_SU03_ES04
Status affected
Version 12.5(1)_SU03_ES05
Status affected
Version UCCX 15.0.1
Status affected
Version 12.5(1)_SU03_ES06
Status affected
Version 12.5(1)_SU03_ES07
Status affected
Version 15.0(1)
Status affected
Version 15.0(1)ES01
Status affected
Version 15.0(1)ES-MSOauth
Status affected
Version 1501_ES01_CSCws06843
Status affected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.04% 0.13
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
psirt@cisco.com 6.1 2.8 2.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.