Jul
20
2009

Vulnerabilities in Unified Contact Center Express Administration Pages

Reported to Cisco by National Australia Bank’s Security Assurance team, on July 15, 2009 the PSIRT has published a new security advisory concerning to vulnerabilities in Unified Contact Center Express Administration Pages.

Cisco Unified Contact Center Express (Cisco Unified CCX) server contains both a directory traversal vulnerability and a script injection vulnerability in the administration pages of the Customer Response Solutions (CRS) and Cisco Unified IP Interactive Voice Response (Cisco Unified IP IVR) products. Exploitation of these vulnerabilities could result in a denial of service condition, information disclosure, or a privilege escalation attack.

Vulnerable Products
All versions of Cisco Unified CCX server running the following software may be affected by these vulnerabilities, to include:

  • Cisco Customer Response Solution (CRS) versions 3.x, 4.x, 5.x, 6.x, and 7.x
  • Cisco Unified IP Interactive Voice Response (Cisco Unified IP IVR) versions 3.x, 4.x, 5.x, 6.x, and 7.x
  • Cisco Unified CCX 4.x, 5.x, 6.x, and 7.x
  • Cisco Unified IP Contact Center Express versions 3.x, 5.x, 6.x, and 7.x
  • Cisco Customer Response Applications versions 3.x
  • Cisco IP Queue Manager (IP QM) versions 3.x

Details
Cisco Unified Contact Center Express (Cisco Unified CCX) servers may be affected by both a directory traversal vulnerability and a script injection vulnerability.

Impact
Successful exploitation of the directory traversal vulnerability may result in read and write access to files on the underlying operating system. Successful exploitation of the script injection vulnerability may result in the execution of JavaScript of authenticated users and prevent server pages from displaying properly.

Link: http://www.cisco.com/…/products_security_advisory.shtml