Skip to main content

Cisco Enterprise Chat and Email CVE-2026-20172

| EUVDEUVD-2026-27856 MEDIUM
Reliance on File Name or Extension of Externally-Supplied File (CWE-646)
2026-05-06 cisco GHSA-rx97-pwc5-6v32
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 06, 2026 - 17:34 vuln.today

DescriptionCVE.org

A vulnerability in the Lite Agent feature of Cisco Enterprise Chat and Email (ECE) could allow an authenticated, remote attacker to conduct browser-based attacks. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of Agent.

This vulnerability is due to inadequate validation of file contents during file upload operations. An attacker could exploit this vulnerability by uploading a file that contains malicious scripts or HTML code, which the application could make available to other users to access. A successful exploit could allow the attacker to execute the contents of that file in the browser of a user and conduct browser-based attacks. 

AnalysisAI

Cisco Enterprise Chat and Email (ECE) Lite Agent feature allows authenticated remote attackers with Agent role credentials to upload files containing malicious scripts or HTML, which are then served to other users without adequate content validation. Successful exploitation enables stored cross-site scripting (XSS) attacks in victim browsers. The vulnerability requires valid user credentials and Agent role privileges but no user interaction on the victim side, affecting confidentiality and integrity but not availability.

Technical ContextAI

The vulnerability exists in the file upload handling mechanism of the Lite Agent feature within ECE, specifically in the absence of proper file content validation and sanitization during upload operations. CWE-646 (Reliance on File Contents to Identify File Type) indicates the application trusts file contents without proper validation, allowing an attacker to upload HTML or script files that the application subsequently serves to other users. The combination of inadequate input validation and lack of output encoding creates a stored XSS condition where malicious payloads persist in the application and execute in the context of users accessing the uploaded files.

RemediationAI

Obtain and deploy the patched version of Cisco ECE from Cisco, with specific version information available in the official Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ece-lite-agent-BCgSN8eb. As an interim compensating control, restrict file upload functionality in the Lite Agent feature to authenticated administrators only, or disable the Lite Agent feature entirely if not operationally critical. Additionally, implement Content Security Policy (CSP) headers to restrict script execution from uploaded content, configure the application to serve uploaded files with 'Content-Disposition: attachment' headers to prevent in-browser execution, and audit file uploads to the Lite Agent feature for suspicious HTML or script content. Note that disabling Lite Agent may impact user functionality, so coordinate with business stakeholders before implementing.

Share

CVE-2026-20172 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy