Cisco Unified Communications Manager User Web Dialer Cross-Site Request Forgery Vulnerability

A vulnerability in the User WebDialer page of Cisco Unified Communications Manager (Unified CM) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack.

The vulnerability is due to insufficient CSRF protections. An attacker could exploit this vulnerability by convincing the user of the affected system to follow a malicious link or visit an attacker-controlled website. A successful exploit could allow the attacker to dial calls on behalf of the affected user.

Cisco has confirmed this vulnerability in a security notice; however, software updates are not available.

To exploit the vulnerability, the attacker may provide a link to a malicious site and persuade the user to follow the link by using misleading language and instructions.