Cisco has released a security advisory outlining several vulnerabilities discovered in the web-based management interface of Cisco Finesse. These vulnerabilities, identified as CVE-2024-20404 and CVE-2024-20405, pose significant risks as they could potentially allow unauthenticated remote attackers to execute stored cross-site scripting (XSS) attacks. The first vulnerability involves a remote file inclusion (RFI) flaw, while the second vulnerability enables a server-side request forgery (SSRF) attack to be launched via the Finesse web interface.
The impact of these vulnerabilities is classified by Cisco as Medium, primarily due to the restricted scope of information accessible to potential attackers. However, the vulnerabilities still pose a substantial risk to affected systems and require immediate attention. The Common Vulnerability Scoring System (CVSS) base score for these vulnerabilities is 7.2, indicating that they are network exploitable and require low attack complexity but have a limited impact on confidentiality and integrity.
Affected users are strongly advised to upgrade to the fixed software releases provided by Cisco to mitigate the risks associated with these vulnerabilities. For users on affected Finesse releases 11.6(1) ES11 and earlier, migrating to a fixed release is recommended. Similarly, users on release 12.6(2) ES01 and earlier should update to 12.6(2) ES03 to ensure protection against potential exploitation. Unfortunately, no workarounds are available for these vulnerabilities, underscoring the critical importance of applying the provided updates promptly.
These vulnerabilities underscore the necessity of maintaining up-to-date software and promptly applying security patches to mitigate potential risks. Cisco’s proactive approach in releasing updates aims to safeguard users from potential exploitation by malicious actors. For detailed information on these vulnerabilities and mitigation steps, users are encouraged to refer to the official Cisco Security Advisory.
