Details of VAR-201306-0173

ID

VAR-201306-0173

CVE

CVE-2013-3397

TITLE

Cisco Unified Communications Manager of Unified Serviceability Component cross-site request forgery vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2013-003146

DESCRIPTION

Cross-site request forgery (CSRF) vulnerability in the Unified Serviceability component in Cisco Unified Communications Manager (CUCM) allows remote attackers to hijack the authentication of arbitrary users for requests that perform Unified Serviceability actions, aka Bug ID CSCuh10298. Attackers can exploit this issue to perform certain administrative actions and to gain unauthorized access to the affected application. This issue being tracked by Cisco bug ID CSCuh10298. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution. A remote attacker can exploit this vulnerability by enticing an authorized CUCM user to click a malicious link to perform Unified Serviceability operations with authorized CUCM user privileges

Trust: 1.98

sources: NVD: CVE-2013-3397 // JVNDB: JVNDB-2013-003146 // BID: 60822 // VULHUB: VHN-63399

AFFECTED PRODUCTS

vendor:	cisco	model:	unified communications manager	scope:	eq	version:	*	Trust: 1.0
vendor:	cisco	model:	unified communications manager	scope:	lte	version:	9.1(1)	Trust: 0.8
vendor:	cisco	model:	unified communications manager	scope:	-	version:	-	Trust: 0.6
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	9.1(1)	Trust: 0.3
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	8.6	Trust: 0.3
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	8.5	Trust: 0.3

sources: BID: 60822 // JVNDB: JVNDB-2013-003146 // CNNVD: CNNVD-201306-490 // NVD: CVE-2013-3397

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2013-3397
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2013-3397
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201306-490
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-63399
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2013-3397
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	CVE-2013-3397
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULHUB:	VHN-63399
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-63399 // JVNDB: JVNDB-2013-003146 // CNNVD: CNNVD-201306-490 // NVD: CVE-2013-3397

PROBLEMTYPE DATA

problemtype:

CWE-352

Trust: 1.9

sources: VULHUB: VHN-63399 // JVNDB: JVNDB-2013-003146 // NVD: CVE-2013-3397

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201306-490

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201306-490

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-003146

PATCH

title:	Cisco Unified Communications Manager Unified Serviceability CSRF Vulnerability	url:	http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-3397	Trust: 0.8
title:	29802	url:	http://tools.cisco.com/security/center/viewAlert.x?alertId=29802	Trust: 0.8

sources: JVNDB: JVNDB-2013-003146

EXTERNAL IDS

db:	NVD	id:	CVE-2013-3397	Trust: 2.8
db:	JVNDB	id:	JVNDB-2013-003146	Trust: 0.8
db:	CNNVD	id:	CNNVD-201306-490	Trust: 0.7
db:	CISCO	id:	20130625 CISCO UNIFIED COMMUNICATIONS MANAGER UNIFIED SERVICEABILITY CSRF VULNERABILITY	Trust: 0.6
db:	BID	id:	60822	Trust: 0.4
db:	VULHUB	id:	VHN-63399	Trust: 0.1

sources: VULHUB: VHN-63399 // BID: 60822 // JVNDB: JVNDB-2013-003146 // CNNVD: CNNVD-201306-490 // NVD: CVE-2013-3397

REFERENCES

url:	http://tools.cisco.com/security/center/content/ciscosecuritynotice/cve-2013-3397	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-3397	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-3397	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3
url:	http://tools.cisco.com/security/center/viewalert.x?alertid=29802	Trust: 0.3

sources: VULHUB: VHN-63399 // BID: 60822 // JVNDB: JVNDB-2013-003146 // CNNVD: CNNVD-201306-490 // NVD: CVE-2013-3397

CREDITS

Cisco

Trust: 0.3

sources: BID: 60822

SOURCES

db:	VULHUB	id:	VHN-63399
db:	BID	id:	60822
db:	JVNDB	id:	JVNDB-2013-003146
db:	CNNVD	id:	CNNVD-201306-490
db:	NVD	id:	CVE-2013-3397

LAST UPDATE DATE

2024-08-14T15:19:17.826000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-63399	date:	2013-10-11T00:00:00
db:	BID	id:	60822	date:	2013-06-26T00:00:00
db:	JVNDB	id:	JVNDB-2013-003146	date:	2013-10-24T00:00:00
db:	CNNVD	id:	CNNVD-201306-490	date:	2013-06-28T00:00:00
db:	NVD	id:	CVE-2013-3397	date:	2013-10-11T17:09:09.600

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-63399	date:	2013-06-26T00:00:00
db:	BID	id:	60822	date:	2013-06-26T00:00:00
db:	JVNDB	id:	JVNDB-2013-003146	date:	2013-06-28T00:00:00
db:	CNNVD	id:	CNNVD-201306-490	date:	2013-06-28T00:00:00
db:	NVD	id:	CVE-2013-3397	date:	2013-06-26T21:55:04.333