Cisco ECE Vulnerability Could Lead to Open Redirect Attacks
CVE-2022-20634

4.7MEDIUM

Key Information:

Vendor: Cisco
Status: Cisco Enterprise Chat And Email
Vendor: CVE Published:; 15 November 2024

Summary

A vulnerability exists in the web-based management interface of Cisco ECE, enabling an unauthenticated remote attacker to influence a user's web experience by redirecting them to undesired or malicious web pages. This issue stems from improper input validation of URL parameters within HTTP requests. Attackers could exploit this vulnerability by convincing users to click on specially crafted links that initiate the redirect. Such vulnerabilities are frequently utilized in phishing attacks to mislead users into visiting harmful sites. Cisco has issued software updates to remediate this issue without offering viable workarounds.

Affected Version(s)

Cisco Enterprise Chat and Email 11.6(1)_ES3

Cisco Enterprise Chat and Email 11.6(1)_ES4

Cisco Enterprise Chat and Email 12.0(1)_ES6

References

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:

4.7

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Nov 15, 2024
Vulnerability Reserved
Nov 2, 2021