Unity Connection
Monthly
Cisco Unified Communications Manager and related products contain a code injection vulnerability (CVE-2026-20045) that allows unauthenticated remote attackers to execute arbitrary code. This KEV-listed vulnerability affects the core enterprise voice/video infrastructure including Unified CM, IM&P, Unity Connection, and Webex Calling Dedicated Instance, making it a high-priority threat for organizations dependent on Cisco collaboration tools.
A vulnerability in the CLI of multiple Cisco Unified Communications products could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system of an affected device as the root user. This vulnerability is due to improper validation of user-supplied command arguments. An attacker could exploit this vulnerability by executing crafted commands on the CLI of an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system of an affected device as the root user. To exploit this vulnerability, the attacker must have valid administrative credentials.
A vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in multiple Cisco Unified Communications and Contact Center Solutions products could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system and execute commands on. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in an API endpoint of multiple Cisco Unified Communications Products could allow an unauthenticated, remote attacker to cause high CPU utilization, which could impact access to the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in Cisco Emergency Responder, Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unity. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the Disaster Recovery framework of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), and. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unity Connection could allow an. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified CM Session Management Edition (Unified CM SME), and Cisco Unity Connection. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.
Multiple vulnerabilities in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager IM & Presence Service (Unified CM. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Multiple vulnerabilities in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager IM & Presence Service (Unified CM. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the SOAP API endpoint of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM &. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the audit logging component of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM &. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the web management interface of Cisco Unity Connection could allow an authenticated remote attacker to overwrite files on the underlying filesystem. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the web-based management interface of Cisco Unity Connection Software could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the web-based interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition (SME), Cisco Unified Communications Manager IM and. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the web-based interface of multiple Cisco Unified Communications products could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the Security Assertion Markup Language (SAML) single sign-on (SSO) interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the web-based interface of Cisco Unity Connection could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the web interface of Cisco Emergency Responder, Cisco Unified Communications Manager, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the Bulk Administration Tool (BAT) for Cisco Unity Connection could allow an authenticated, remote attacker to cause high disk utilization, resulting in a denial of service (DoS). Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the web framework of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web interface of. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the SMTP relay of Cisco Unity Connection could allow an unauthenticated, remote attacker to send unsolicited email messages, aka a Mail Relay Vulnerability. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the upgrade mechanism of Cisco collaboration products based on the Cisco Voice Operating System software platform could allow an unauthenticated, remote attacker to gain. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 13.2% and no vendor patch available.
A vulnerability in the web framework of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the web. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the ImageID parameter of Cisco Unity Connection 10.5(2) could allow an unauthenticated, remote attacker to access files in arbitrary locations on the filesystem of an affected. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The encryption-processing feature in Cisco libSRTP before 1.5.3 allows remote attackers to cause a denial of service via crafted fields in SRTP packets, aka Bug ID CSCux00686. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 18.5% and no vendor patch available.
Cross-site scripting (XSS) vulnerability in Cisco Unity Connection through 11.0 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCus21776. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cross-site scripting (XSS) vulnerability in Cisco Unity Connection 10.5(2.3009) allows remote attackers to inject arbitrary web script or HTML via a crafted value, aka Bug ID CSCux82596. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cross-site scripting (XSS) vulnerability in Cisco Unity Connection (UC) 10.5(2.3009) allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCux82582. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cross-site request forgery (CSRF) vulnerability in Cisco Unity Connection 11.5(0.98) allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCux24578. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.
Cross-site scripting (XSS) vulnerability in the management interface in Cisco Unity Connection 9.1(1.10) allows remote attackers to inject arbitrary web script or HTML via a crafted value in a URL,. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.
SQL injection vulnerability in the web interface in Cisco Unity Connection 9.1(1.2) and earlier allows remote authenticated users to execute arbitrary SQL commands via a crafted POST request, aka Bug. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Cross-site request forgery (CSRF) vulnerability in the CUCReports page in Cisco Unity Connection 11.0(0.98000.225) and 11.0(0.98000.332) allows remote attackers to hijack the authentication of. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager 11.0(0.98000.225) allows remote authenticated users to execute arbitrary SQL commands via. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Connection Conversation Manager (aka CuCsMgr) process in Cisco Unity Connection 8.5 before 8.5(1)SU7, 8.6 before 8.6(2a)SU4, and 9.x before 9.1(2)SU2, when SIP trunk integration is enabled,. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.
The call-handling implementation in Cisco Unity Connection 8.5 before 8.5(1)SU7, 8.6 before 8.6(2a)SU4, 9.x before 9.1(2)SU2, and 10.0 before 10.0(1)SU1, when SIP trunk integration is enabled, allows. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.
The Connection Conversation Manager (aka CuCsMgr) process in Cisco Unity Connection 8.5 before 8.5(1)SU7, 8.6 before 8.6(2a)SU4, 9.x before 9.1(2)SU2, and 10.0 before 10.0(1)SU1, when SIP trunk. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.
The Connection Conversation Manager (aka CuCsMgr) process in Cisco Unity Connection 8.5 before 8.5(1)SU7, 8.6 before 8.6(2a)SU4, 9.x before 9.1(2)SU2, and 10.0 before 10.0(1)SU1, when SIP trunk. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.
The Connection Conversation Manager (aka CuCsMgr) process in Cisco Unity Connection 8.5 before 8.5(1)SU6, 8.6 before 8.6(2a)SU4, and 9.x before 9.1(2)SU2, when SIP trunk integration is enabled,. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.
The Unified Messaging Service (UMS) in Cisco Unity Connection 10.5 and earlier allows remote authenticated users to obtain sensitive information by reading log files, aka Bug ID CSCur06493. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
SQL injection vulnerability in the web framework in Cisco Unity Connection 9.1(2) and earlier allows remote authenticated users to execute arbitrary SQL commands via a crafted request, aka Bug ID. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The server in Cisco Unity Connection 9.1(1) and 9.1(2) allows remote authenticated users to obtain privileged access by conducting an "HTTP Intercept" attack and leveraging the ability to read files. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Directory traversal vulnerability in the messaging API in Cisco Unity Connection allows remote authenticated users to read arbitrary files via vectors related to unenforced access constraints for. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Cross-site scripting (XSS) vulnerability in the Web Inbox in Cisco Unity Connection 8.6(2a)SU3 and earlier allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter,. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.
The server in Cisco Unity Connection allows remote authenticated users to cause a denial of service (CPU consumption) via unspecified IMAP commands, aka Bug ID CSCul49976. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Directory traversal vulnerability in the attachment service in the Voice Message Web Service (aka VMWS or Cisco Unity Web Service) in Cisco Unity Connection allows remote authenticated users to. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Memory leak in Cisco Unity Connection 9.x allows remote attackers to cause a denial of service (memory consumption and process crash) by sending many TCP requests, aka Bug ID CSCud59736. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Cisco Unity Connection (UC) 7.1, 8.0, and 8.5 allows remote authenticated users to cause a denial of service (resource consumption and administration outage) via extended use of the product, aka Bug. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Cisco Unity Connection (UC) 8.6, 9.0, and 9.5 allows remote attackers to cause a denial of service (CPU consumption) via malformed UDP packets, aka Bug ID CSCtz76269. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Cisco Unity Connection before 7.1.5b(Su5), 8.0 and 8.5 before 8.5.1(Su3), and 8.6 before 8.6.2 allows remote attackers to cause a denial of service (services crash) via a series of crafted TCP. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Cisco Unity Connection before 7.1.3b(Su2) allows remote authenticated users to change the administrative password by leveraging the Help Desk Administrator role, aka Bug ID CSCtd45141. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Cisco Unified Communications Manager and related products contain a code injection vulnerability (CVE-2026-20045) that allows unauthenticated remote attackers to execute arbitrary code. This KEV-listed vulnerability affects the core enterprise voice/video infrastructure including Unified CM, IM&P, Unity Connection, and Webex Calling Dedicated Instance, making it a high-priority threat for organizations dependent on Cisco collaboration tools.
A vulnerability in the CLI of multiple Cisco Unified Communications products could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system of an affected device as the root user. This vulnerability is due to improper validation of user-supplied command arguments. An attacker could exploit this vulnerability by executing crafted commands on the CLI of an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system of an affected device as the root user. To exploit this vulnerability, the attacker must have valid administrative credentials.
A vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in multiple Cisco Unified Communications and Contact Center Solutions products could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system and execute commands on. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in an API endpoint of multiple Cisco Unified Communications Products could allow an unauthenticated, remote attacker to cause high CPU utilization, which could impact access to the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in Cisco Emergency Responder, Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unity. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the Disaster Recovery framework of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), and. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unity Connection could allow an. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified CM Session Management Edition (Unified CM SME), and Cisco Unity Connection. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.
Multiple vulnerabilities in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager IM & Presence Service (Unified CM. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Multiple vulnerabilities in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager IM & Presence Service (Unified CM. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the SOAP API endpoint of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM &. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the audit logging component of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM &. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the web management interface of Cisco Unity Connection could allow an authenticated remote attacker to overwrite files on the underlying filesystem. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the web-based management interface of Cisco Unity Connection Software could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the web-based interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition (SME), Cisco Unified Communications Manager IM and. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the web-based interface of multiple Cisco Unified Communications products could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the Security Assertion Markup Language (SAML) single sign-on (SSO) interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the web-based interface of Cisco Unity Connection could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the web interface of Cisco Emergency Responder, Cisco Unified Communications Manager, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the Bulk Administration Tool (BAT) for Cisco Unity Connection could allow an authenticated, remote attacker to cause high disk utilization, resulting in a denial of service (DoS). Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the web framework of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web interface of. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the SMTP relay of Cisco Unity Connection could allow an unauthenticated, remote attacker to send unsolicited email messages, aka a Mail Relay Vulnerability. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the upgrade mechanism of Cisco collaboration products based on the Cisco Voice Operating System software platform could allow an unauthenticated, remote attacker to gain. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 13.2% and no vendor patch available.
A vulnerability in the web framework of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the web. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the ImageID parameter of Cisco Unity Connection 10.5(2) could allow an unauthenticated, remote attacker to access files in arbitrary locations on the filesystem of an affected. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The encryption-processing feature in Cisco libSRTP before 1.5.3 allows remote attackers to cause a denial of service via crafted fields in SRTP packets, aka Bug ID CSCux00686. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 18.5% and no vendor patch available.
Cross-site scripting (XSS) vulnerability in Cisco Unity Connection through 11.0 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCus21776. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cross-site scripting (XSS) vulnerability in Cisco Unity Connection 10.5(2.3009) allows remote attackers to inject arbitrary web script or HTML via a crafted value, aka Bug ID CSCux82596. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cross-site scripting (XSS) vulnerability in Cisco Unity Connection (UC) 10.5(2.3009) allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCux82582. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cross-site request forgery (CSRF) vulnerability in Cisco Unity Connection 11.5(0.98) allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCux24578. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.
Cross-site scripting (XSS) vulnerability in the management interface in Cisco Unity Connection 9.1(1.10) allows remote attackers to inject arbitrary web script or HTML via a crafted value in a URL,. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.
SQL injection vulnerability in the web interface in Cisco Unity Connection 9.1(1.2) and earlier allows remote authenticated users to execute arbitrary SQL commands via a crafted POST request, aka Bug. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Cross-site request forgery (CSRF) vulnerability in the CUCReports page in Cisco Unity Connection 11.0(0.98000.225) and 11.0(0.98000.332) allows remote attackers to hijack the authentication of. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager 11.0(0.98000.225) allows remote authenticated users to execute arbitrary SQL commands via. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Connection Conversation Manager (aka CuCsMgr) process in Cisco Unity Connection 8.5 before 8.5(1)SU7, 8.6 before 8.6(2a)SU4, and 9.x before 9.1(2)SU2, when SIP trunk integration is enabled,. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.
The call-handling implementation in Cisco Unity Connection 8.5 before 8.5(1)SU7, 8.6 before 8.6(2a)SU4, 9.x before 9.1(2)SU2, and 10.0 before 10.0(1)SU1, when SIP trunk integration is enabled, allows. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.
The Connection Conversation Manager (aka CuCsMgr) process in Cisco Unity Connection 8.5 before 8.5(1)SU7, 8.6 before 8.6(2a)SU4, 9.x before 9.1(2)SU2, and 10.0 before 10.0(1)SU1, when SIP trunk. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.
The Connection Conversation Manager (aka CuCsMgr) process in Cisco Unity Connection 8.5 before 8.5(1)SU7, 8.6 before 8.6(2a)SU4, 9.x before 9.1(2)SU2, and 10.0 before 10.0(1)SU1, when SIP trunk. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.
The Connection Conversation Manager (aka CuCsMgr) process in Cisco Unity Connection 8.5 before 8.5(1)SU6, 8.6 before 8.6(2a)SU4, and 9.x before 9.1(2)SU2, when SIP trunk integration is enabled,. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.
The Unified Messaging Service (UMS) in Cisco Unity Connection 10.5 and earlier allows remote authenticated users to obtain sensitive information by reading log files, aka Bug ID CSCur06493. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
SQL injection vulnerability in the web framework in Cisco Unity Connection 9.1(2) and earlier allows remote authenticated users to execute arbitrary SQL commands via a crafted request, aka Bug ID. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The server in Cisco Unity Connection 9.1(1) and 9.1(2) allows remote authenticated users to obtain privileged access by conducting an "HTTP Intercept" attack and leveraging the ability to read files. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Directory traversal vulnerability in the messaging API in Cisco Unity Connection allows remote authenticated users to read arbitrary files via vectors related to unenforced access constraints for. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Cross-site scripting (XSS) vulnerability in the Web Inbox in Cisco Unity Connection 8.6(2a)SU3 and earlier allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter,. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.
The server in Cisco Unity Connection allows remote authenticated users to cause a denial of service (CPU consumption) via unspecified IMAP commands, aka Bug ID CSCul49976. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Directory traversal vulnerability in the attachment service in the Voice Message Web Service (aka VMWS or Cisco Unity Web Service) in Cisco Unity Connection allows remote authenticated users to. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Memory leak in Cisco Unity Connection 9.x allows remote attackers to cause a denial of service (memory consumption and process crash) by sending many TCP requests, aka Bug ID CSCud59736. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Cisco Unity Connection (UC) 7.1, 8.0, and 8.5 allows remote authenticated users to cause a denial of service (resource consumption and administration outage) via extended use of the product, aka Bug. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Cisco Unity Connection (UC) 8.6, 9.0, and 9.5 allows remote attackers to cause a denial of service (CPU consumption) via malformed UDP packets, aka Bug ID CSCtz76269. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Cisco Unity Connection before 7.1.5b(Su5), 8.0 and 8.5 before 8.5.1(Su3), and 8.6 before 8.6.2 allows remote attackers to cause a denial of service (services crash) via a series of crafted TCP. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Cisco Unity Connection before 7.1.3b(Su2) allows remote authenticated users to change the administrative password by leveraging the Help Desk Administrator role, aka Bug ID CSCtd45141. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.