Cisco CallManager versions prior to 4.3(1), 4.2(3), 4.1(3)SR4 and 3.3(5)SR3 contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary script in the user's browser session.
The vulnerability exists due to improper input sanitization in the CallManager Administration web interface and the CallManager User Options web interface. An attacker could exploit the vulnerability by convincing a user to follow a link designed to pass malicious script code to a vulnerable parameter. This could allow the attacker to execute arbitrary script code in the user's browser session in the context of the affected site.
Proof-of-concept code is available.
Cisco has confirmed this vulnerability with a security
response but patches are not yet available.
In order to exploit this vulnerability, an attacker must have an IP address and port number for an affected CallManager server. This will require social engineering or an inside attacker in most cases. However, should the vulnerable interfaces be exposed directly to the Internet, an attacker could determine the address. The attacker would still need to convince a user of one of these systems to execute a crafted link.