ID
VAR-201305-0159
CVE
CVE-2013-1225
TITLE
Cisco Unified Customer Voice Portal XML Entity Expansion Remote Arbitrary File Access Vulnerability
Trust: 0.9
DESCRIPTION
Cisco Unified Customer Voice Portal (CVP) Software before 9.0.1 ES 11 allows remote attackers to read arbitrary files via a Resource Manager (1) HTTP or (2) HTTPS request containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, aka Bug ID CSCub38366. Cisco Unified Customer Voice Portal (CVP) Contains a vulnerability in which arbitrary files can be read. This case XML External entity (XXE) Vulnerability related to the problem. Remote attackers can exploit this issue to read arbitrary files. This may lead to further attacks. This issue is being tracked by Cisco Bug ID CSCub38366
Trust: 1.98
AFFECTED PRODUCTS
| vendor: | cisco | model: | unified customer voice portal | scope: | eq | version: | 4.1 | Trust: 1.9 |
| vendor: | cisco | model: | unified customer voice portal | scope: | eq | version: | 4.0 | Trust: 1.9 |
| vendor: | cisco | model: | unified customer voice portal | scope: | eq | version: | 3.0 | Trust: 1.6 |
| vendor: | cisco | model: | unified customer voice portal | scope: | eq | version: | 8.0\(1\) | Trust: 1.6 |
| vendor: | cisco | model: | unified customer voice portal | scope: | eq | version: | 3.6\(10\) | Trust: 1.6 |
| vendor: | cisco | model: | unified customer voice portal | scope: | eq | version: | 7.0\(2\) | Trust: 1.6 |
| vendor: | cisco | model: | unified customer voice portal | scope: | eq | version: | 4.0\(2\) | Trust: 1.6 |
| vendor: | cisco | model: | unified customer voice portal | scope: | eq | version: | 7.0 | Trust: 1.3 |
| vendor: | cisco | model: | unified customer voice portal | scope: | eq | version: | 9.0 | Trust: 1.0 |
| vendor: | cisco | model: | unified customer voice portal | scope: | lte | version: | 9.0\(1\) | Trust: 1.0 |
| vendor: | cisco | model: | unified customer voice portal | scope: | eq | version: | 8.5\(1\) | Trust: 1.0 |
| vendor: | cisco | model: | unified customer voice portal | scope: | lt | version: | 9.0.1 es 11 | Trust: 0.8 |
| vendor: | cisco | model: | unified customer voice portal | scope: | eq | version: | 9.0\(1\) | Trust: 0.6 |
| vendor: | cisco | model: | unified customer voice portal | scope: | eq | version: | 7.0(1) | Trust: 0.3 |
| vendor: | cisco | model: | unified customer voice portal 4.1 es11 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | unified customer voice portal 4.0 es14 | scope: | - | version: | - | Trust: 0.3 |
CVSS
SEVERITY | CVSSV2 | CVSSV3 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
PROBLEMTYPE DATA
| problemtype: | CWE-264 | Trust: 1.9 |
THREAT TYPE
remote
Trust: 0.6
TYPE
permissions and access control
Trust: 0.6
CONFIGURATIONS
PATCH
| title: | 28982 | url: | http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=28982 | Trust: 0.8 |
| title: | cisco-sa-20130508-cvp | url: | http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130508-cvp | Trust: 0.8 |
| title: | 29159 | url: | http://tools.cisco.com/security/center/viewAlert.x?alertId=29159 | Trust: 0.8 |
| title: | cisco-sa-20130508-cvp | url: | http://www.cisco.com/cisco/web/support/JP/111/1117/1117965_cisco-sa-20130508-cvp-j.html | Trust: 0.8 |
EXTERNAL IDS
| db: | NVD | id: | CVE-2013-1225 | Trust: 2.8 |
| db: | BID | id: | 59744 | Trust: 1.0 |
| db: | JVNDB | id: | JVNDB-2013-002616 | Trust: 0.8 |
| db: | CNNVD | id: | CNNVD-201305-183 | Trust: 0.7 |
| db: | SECUNIA | id: | 53306 | Trust: 0.6 |
| db: | CISCO | id: | 20130508 MULTIPLE VULNERABILITIES IN CISCO UNIFIED CUSTOMER VOICE PORTAL SOFTWARE | Trust: 0.6 |
| db: | VULHUB | id: | VHN-61227 | Trust: 0.1 |
REFERENCES
| url: | http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20130508-cvp | Trust: 2.0 |
| url: | http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-1225 | Trust: 0.8 |
| url: | http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-1225 | Trust: 0.8 |
| url: | http://secunia.com/advisories/53306 | Trust: 0.6 |
| url: | http://www.securityfocus.com/bid/59744 | Trust: 0.6 |
| url: | http://www.cisco.com/en/us/products/sw/custcosw/ps1006/index.html | Trust: 0.3 |
CREDITS
Alex Senkevitch
Trust: 0.9
SOURCES
| db: | VULHUB | id: | VHN-61227 |
| db: | BID | id: | 59744 |
| db: | JVNDB | id: | JVNDB-2013-002616 |
| db: | CNNVD | id: | CNNVD-201305-183 |
| db: | NVD | id: | CVE-2013-1225 |
LAST UPDATE DATE
2024-11-23T22:02:23.976000+00:00
SOURCES UPDATE DATE
| db: | VULHUB | id: | VHN-61227 | date: | 2013-05-09T00:00:00 |
| db: | BID | id: | 59744 | date: | 2013-05-08T00:00:00 |
| db: | JVNDB | id: | JVNDB-2013-002616 | date: | 2013-05-10T00:00:00 |
| db: | CNNVD | id: | CNNVD-201305-183 | date: | 2013-05-10T00:00:00 |
| db: | NVD | id: | CVE-2013-1225 | date: | 2024-11-21T01:49:08.987 |
SOURCES RELEASE DATE
| db: | VULHUB | id: | VHN-61227 | date: | 2013-05-09T00:00:00 |
| db: | BID | id: | 59744 | date: | 2013-05-08T00:00:00 |
| db: | JVNDB | id: | JVNDB-2013-002616 | date: | 2013-05-10T00:00:00 |
| db: | CNNVD | id: | CNNVD-201305-183 | date: | 2013-05-09T00:00:00 |
| db: | NVD | id: | CVE-2013-1225 | date: | 2013-05-09T12:31:19.243 |