Details of VAR-201308-0094

ID

VAR-201308-0094

CVE

CVE-2013-3451

TITLE

Cisco Unified Communications Manager Vulnerable to cross-site request forgery

Trust: 0.8

sources: JVNDB: JVNDB-2013-003642

DESCRIPTION

Multiple cross-site request forgery (CSRF) vulnerabilities in Cisco Unified Communications Manager (Unified CM) allow remote attackers to hijack the authentication of arbitrary users for requests that perform arbitrary Unified CM operations, aka Bug ID CSCui13033. Attackers can exploit this issue to perform certain administrative actions and to gain unauthorized access to the affected application. This issue is being tracked by Cisco bug ID CSCui13033. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution. Multiple cross-site request forgery vulnerabilities exist in CUCM

Trust: 1.98

sources: NVD: CVE-2013-3451 // JVNDB: JVNDB-2013-003642 // BID: 61602 // VULHUB: VHN-63453

AFFECTED PRODUCTS

vendor:	cisco	model:	unified communications manager	scope:	eq	version:	*	Trust: 1.0
vendor:	cisco	model:	unified communications manager	scope:	lte	version:	9.1(1)	Trust: 0.8
vendor:	cisco	model:	unified communications manager	scope:	-	version:	-	Trust: 0.6
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	9.1(1)	Trust: 0.3
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	9.1	Trust: 0.3
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	9.0(1)	Trust: 0.3
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	9.0	Trust: 0.3
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	8.6	Trust: 0.3
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	8.5	Trust: 0.3

sources: BID: 61602 // JVNDB: JVNDB-2013-003642 // CNNVD: CNNVD-201308-045 // NVD: CVE-2013-3451

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2013-3451
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2013-3451
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201308-045
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-63453
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2013-3451
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-63453
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-63453 // JVNDB: JVNDB-2013-003642 // CNNVD: CNNVD-201308-045 // NVD: CVE-2013-3451

PROBLEMTYPE DATA

problemtype:

CWE-352

Trust: 1.9

sources: VULHUB: VHN-63453 // JVNDB: JVNDB-2013-003642 // NVD: CVE-2013-3451

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201308-045

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201308-045

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-003642

PATCH

title:	Cisco Unified Communications Manager Web Page Cross-Site Request Forgery Vulnerability	url:	http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-3451	Trust: 0.8
title:	30292	url:	http://tools.cisco.com/security/center/viewAlert.x?alertId=30292	Trust: 0.8

sources: JVNDB: JVNDB-2013-003642

EXTERNAL IDS

db:	NVD	id:	CVE-2013-3451	Trust: 2.8
db:	BID	id:	61602	Trust: 1.0
db:	JVNDB	id:	JVNDB-2013-003642	Trust: 0.8
db:	CNNVD	id:	CNNVD-201308-045	Trust: 0.7
db:	CISCO	id:	20130802 CISCO UNIFIED COMMUNICATIONS MANAGER WEB PAGE CROSS-SITE REQUEST FORGERY VULNERABILITY	Trust: 0.6
db:	VULHUB	id:	VHN-63453	Trust: 0.1

sources: VULHUB: VHN-63453 // BID: 61602 // JVNDB: JVNDB-2013-003642 // CNNVD: CNNVD-201308-045 // NVD: CVE-2013-3451

REFERENCES

url:	http://tools.cisco.com/security/center/content/ciscosecuritynotice/cve-2013-3451	Trust: 2.0
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-3451	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-3451	Trust: 0.8
url:	http://www.securityfocus.com/bid/61602	Trust: 0.6
url:	http://www.cisco.com/	Trust: 0.3
url:	http://tools.cisco.com/security/center/viewalert.x?alertid=30292	Trust: 0.3

sources: VULHUB: VHN-63453 // BID: 61602 // JVNDB: JVNDB-2013-003642 // CNNVD: CNNVD-201308-045 // NVD: CVE-2013-3451

CREDITS

Cisco

Trust: 0.9

sources: BID: 61602 // CNNVD: CNNVD-201308-045

SOURCES

db:	VULHUB	id:	VHN-63453
db:	BID	id:	61602
db:	JVNDB	id:	JVNDB-2013-003642
db:	CNNVD	id:	CNNVD-201308-045
db:	NVD	id:	CVE-2013-3451

LAST UPDATE DATE

2024-08-14T15:14:03.424000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-63453	date:	2013-08-05T00:00:00
db:	BID	id:	61602	date:	2013-08-02T00:00:00
db:	JVNDB	id:	JVNDB-2013-003642	date:	2013-08-06T00:00:00
db:	CNNVD	id:	CNNVD-201308-045	date:	2013-08-22T00:00:00
db:	NVD	id:	CVE-2013-3451	date:	2013-08-05T13:22:47.910

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-63453	date:	2013-08-05T00:00:00
db:	BID	id:	61602	date:	2013-08-02T00:00:00
db:	JVNDB	id:	JVNDB-2013-003642	date:	2013-08-06T00:00:00
db:	CNNVD	id:	CNNVD-201308-045	date:	2013-08-22T00:00:00
db:	NVD	id:	CVE-2013-3451	date:	2013-08-05T13:22:47.910