Cisco Unified Contact Center Express Cross-Site Scripting Vulnerability

A vulnerability in the HTTP web-based management interface of the Cisco Unified Contact Center Express could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface of the affected system. This vulnerability applies to all Permanent Web Links (permalinks) accessible from the web interface.   The vulnerability is due to insufficient input validation of a user-supplied value. An attacker could exploit this vulnerability by convincing a user to click on a specific link. Cisco has not released software updates that address this vulnerability. Workarounds that address this vulnerability are not available. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160125-ucce

For additional information about cross-site scripting attacks and the methods used to exploit these vulnerabilities, see the Cisco Applied Mitigation Bulletin Understanding Cross-Site Scripting (XSS) Threat Vectorshttp://www.cisco.com/en/US/products/cmb/cisco-amb-20060922-understanding-xss.html .