Security issues on UCCX servers

poulid · ‎09-23-2021

Hey folks. Our latest security scan has identified a problem with the following files under the web directory on our UCCX server. Can someone tell me if these files are required to be on the system, or are they only required for the installation? Our support vendor is insisting that they're required for the operation of UCCX;

Roger Kallberg · ‎09-23-2021

They’re absolutely needed for operation. Either way you would not actually be able to remove these files as the different UIs you have access to does not have access to OS shell as such. CVOS as the OS is known by is a lockdown version of RHEL or CentOS.

ambivalent · ‎09-24-2021

Any thoughts on that Cross-Frame Scripting vulnerability on that same server?

Cisco Unified CCX Administration

System version: 12.0.1.10000-24

That version is a supported version isn't it? For various reasons we are stuck at this build for a few months at least due to an integrated solution limitation. Instead of having vulnerability scanners howling at us until we upgrade I would hope a patch would be available to correct what is really a minor config issue with Finesse website code.

ambivalent · ‎09-28-2021

Just to close the loop on the cross-frame scripting. I opened a case with PSIRT with simple iframe code showing the vulnerability and they pointed us towards an update to ES04. It resolved the issue in the version we are running.