Vendor description
"Consolidate your communications infrastructure and enable your people and teams to communicate simply with the Cisco Unified Communications Manager. The solution features IP telephony, high-definition video, unified messaging, Instant Message and Presence."
"Regional, family run business or global mega-brand? Choose a solution that scales as your organization's needs change. Cisco Unified Communications Manager supports the needs of small and midsize businesses through to the largest enterprises with up to 80,000 users."
"Cisco Unified (CM) supports the latest authentication, encryption, and communication protocols. It complies with key industry certifications, and secures data and communications for customers in financial services, manufacturing, retail, and government across the globe."
Business recommendation
SEC Consult recommends Cisco customers to install the latest updates and review the vendor's security note for further information.
Furthermore, an in-depth security analysis performed by security professionals is highly advised, as the software may be affected from other security issues.
Vulnerability overview/description
1) Reflected Cross-Site Scripting
The parameter "device" at the endpoint "/emapp/EMAppServlet" is vulnerable to reflected XSS. If an attacker can lure a user into clicking a crafted link (no authentication required), the attacker could potentially execute arbitrary JavaScript code in the user's browser. The vulnerability can be used to change the contents of the displayed site, redirect to other sites or steal user credentials. Additionally, users are potential victims of browser exploits and JavaScript malware.
Also, a strange behavior was identified, the endpoint "/emapp/EMAppServlet" cannot be rendered correctly by browsers, because an error occurs during client-side XML parsing. The first line in an XML response needs to start at line 1 for browsers to render the response correctly, but the response starts at line 10 as there are some arbitrary newlines added by the server.
Proof of concept
1) Reflected Cross-Site Scripting
To verify this vulnerability, it is sufficient to insert the following text into the parameter "device":
</URL>%0d%0a<script xmlns="http://www.w3.org/1999/xhtml">alert(document.location)</script><URL>The following GET request can be sent to the server, containing the encoded payload in the vulnerable parameter "device". Prior authentication is not required:
/emapp/EMAppServlet?device=%3c/URL%3e%0d%0a%3cscript%20xmlns%3d%22http://www.w3.org/1999/xhtml%22%3ealert%28document.location%29%3c/script%3e%3cURL%3eVulnerable / tested versions
The issue was found in Cisco Unified Call Manager version 12.5.1.