EXECUTIVE SUMMARY:
CVE-2026-20175 with a CVSS score of 6.1 is a remote file inclusion (RFI) flaw in Cisco Finesse, affecting all Finesse software releases prior to the security update regardless of configuration. The vulnerability stems from insufficient validation of user‑supplied input in HTTP requests, allowing an attacker who knows the devices address to craft a malicious URL that references an external file. When a legitimate user clicks the link, the Finesse web interface loads the remote file into the active session, enabling the attacker to inject and execute arbitrary JavaScript in the victims browser context. Exploitation requires only network‑level access to the target device and user interaction with the crafted link; no authentication or prior compromise is needed. Successful exploitation can lead to browser‑based attacks such as credential theft, session hijacking, or the display of malicious content, and may expose sensitive configuration data stored on the Finesse device. The attack is contingent on the victims willingness to follow the malicious link and the presence of an unpatched Finesse instance, making user awareness and timely patching critical to prevent these impacts.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-20175 with a CVSS score of 6.1 is a remote file inclusion (RFI) flaw in Cisco Finesse, affecting all Finesse software releases prior to the security update regardless of configuration. The vulnerability stems from insufficient validation of user‑supplied input in HTTP requests, allowing an attacker who knows the devices address to craft a malicious URL that references an external file. When a legitimate user clicks the link, the Finesse web interface loads the remote file into the active session, enabling the attacker to inject and execute arbitrary JavaScript in the victims browser context. Exploitation requires only network‑level access to the target device and user interaction with the crafted link; no authentication or prior compromise is needed. Successful exploitation can lead to browser‑based attacks such as credential theft, session hijacking, or the display of malicious content, and may expose sensitive configuration data stored on the Finesse device. The attack is contingent on the victims willingness to follow the malicious link and the presence of an unpatched Finesse instance, making user awareness and timely patching critical to prevent these impacts.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
[/emaillocker]