The host is installed with Cisco Unity Express and is prone to multiple cross-site scripting and request forgery vulnerabilities.

Successful exploitation will allow remote attackers to execute arbitrary HTML and script code in a users browser session in context of an affected site and perform certain actions when a logged-in user visits a specially crafted web page. Impact Level: Application

Upgrade to Cisco Unity Express 8.0 or later, For updated refer to https://sso.cisco.com/autho/forms/CDClogin.html

- Input passed via the 'gui_pagenotableData' parameter to Web/SA2/ScriptList.do and 'holiday.description' parameter to /Web/SA3/AddHoliday.do are not properly sanitized before being returned to the user. - The application allows users to perform certain actions via HTTP requests without performing proper validity checks to verify the requests.

Cisco Unity Express version 7.x

• http://infosec42.blogspot.in/2013/02/cisco-unity-express-vulnerabilites.html
• http://secunia.com/advisories/52045
• http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1114
• http://tools.cisco.com/security/center/viewAlert.x?alertId=28044
• http://www.exploit-db.com/exploits/24449
• http://www.osvdb.org/89837
• http://www.osvdb.org/89841

---

Updated on 2017-03-28