SEE: (TechRepublic Premium)
Cisco says the bugs allow an attacker to execute arbitrary programs on the underlying operating system with elevated privileges or gain access to sensitive information . Customers have no other option but to install the latest updates to prevent attacks.
Norwegian security outfit Watchcom found earlier this year that Jabber was vulnerable to cross-site scripting (XSS) through XHTML-IM messages. Jabber did not properly sanitize incoming HTML messages and instead passed them through a faulty XSS filter.
Cisco notes that the new message-handling vulnerabilities can be exploited if an attacker can send Extensible Messaging and Presence Protocol (XMPP) messages to end-user systems running Cisco Jabber.