Cisco Finesse Exposes Vulnerabilities Allowing Attackers to Execute Stored XSS Attacks

Cisco Finesse Exposes Vulnerabilities Allowing Attackers to Execute Stored XSS Attacks



Cisco has disclosed two vulnerabilities in its Finesse web-based management interface which could allow remote attackers to conduct a stored cross-site scripting attack. The vulnerabilities, identified as CVE-2024-20404 and CVE-2024-20405, involve a remote file inclusion vulnerability and a server-side request forgery attack. These vulnerabilities have a security impact rating of Medium, as they provide limited access to information. The Common Vulnerability Scoring System (CVSS) base score for these vulnerabilities is 7.2, indicating moderate risk. Affected versions of Cisco Finesse include 11.6(1) ES11 and earlier, as well as 12.6(2) ES01 and earlier.

Cisco has released software updates to address these vulnerabilities and users are advised to migrate to the fixed versions to mitigate risks. The fixed versions for the affected products are 11.6(1) ES11 and earlier, and 12.6(2) ES01 and earlier should be updated to 12.6(2) ES03. There are no workarounds available for these vulnerabilities, making it crucial for users to apply the provided updates promptly.

It is crucial for users to keep their software up-to-date and apply security patches promptly to protect against potential exploitation by malicious actors. Cisco’s proactive approach in releasing updates aims to protect users from security threats. For more detailed information, users can refer to the official Cisco Security Advisory.

Article Source
https://cybersecuritynews.com/cisco-finesse-vulnerabilities/amp/