VDB
CVE-2024-20367
CVE-2024-20367
PUBLISHED
CVSS 5.400000095367432 MEDIUM
A vulnerability in the web UI of Cisco Enterprise Chat and Email (ECE) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web UI does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To successfully exploit this vulnerability, an attacker would need valid agent credentials.
EPSS 0.16% · 36.7th percentile
Risk Scores
CVSS 3.1
5.400000095367432
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
EPSS Score
0.16%
36.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cisco | Cisco Enterprise Chat and Email | 11.6(1), 11.6(1)_ES2, 11.6(1)_ES3 |
| cisco | enterprise_chat_and_email | 12.5(1), 12.6(1), 12.5 |
Exploit Intelligence
- cisco-sa-ece-xss-CSQxgxfM (circl)
Timeline
- Apr 3, 2024 CVE Published
- Apr 4, 2024 EPSS Score
- Apr 29, 2024 EPSS Score
- May 25, 2024 EPSS Score
- Jun 20, 2024 EPSS Score
- Jul 15, 2024 EPSS Score
- Aug 1, 2024 CVE Updated
- Aug 10, 2024 EPSS Score
- Sep 4, 2024 EPSS Score
- Sep 29, 2024 EPSS Score
- Oct 4, 2024 Coalition ESS Score
- Oct 24, 2024 EPSS Score