Details of VAR-201310-0517

ID

VAR-201310-0517

CVE

CVE-2013-5534

TITLE

Cisco Unity Connection of Voice Message Web Service of attachment Directory traversal vulnerability in services

Trust: 0.8

sources: JVNDB: JVNDB-2013-004816

DESCRIPTION

Directory traversal vulnerability in the attachment service in the Voice Message Web Service (aka VMWS or Cisco Unity Web Service) in Cisco Unity Connection allows remote authenticated users to create files, and consequently execute arbitrary JSP code, via a crafted pathname for a file that is not a valid audio file, aka Bug ID CSCuj22948. Exploiting this issue may allow an attacker to upload arbitrary files to arbitrary locations that could aid in further attacks. This issue is being tracked by Cisco Bug ID CSCuj22948. The platform can use voice commands to make calls or listen to messages "hands-free"

Trust: 1.98

sources: NVD: CVE-2013-5534 // JVNDB: JVNDB-2013-004816 // BID: 63206 // VULHUB: VHN-65536

AFFECTED PRODUCTS

vendor:	cisco	model:	unity connection	scope:	eq	version:	-	Trust: 1.6
vendor:	cisco	model:	unity connection	scope:	lte	version:	9.1(2)	Trust: 0.8
vendor:	cisco	model:	unity connection	scope:	eq	version:	8.6	Trust: 0.3
vendor:	cisco	model:	unity connection	scope:	eq	version:	8.5	Trust: 0.3
vendor:	cisco	model:	unity connection	scope:	eq	version:	7.1	Trust: 0.3

sources: BID: 63206 // JVNDB: JVNDB-2013-004816 // CNNVD: CNNVD-201310-473 // NVD: CVE-2013-5534

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2013-5534
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2013-5534
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201310-473
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-65536
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2013-5534
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-65536
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-65536 // JVNDB: JVNDB-2013-004816 // CNNVD: CNNVD-201310-473 // NVD: CVE-2013-5534

PROBLEMTYPE DATA

problemtype:

CWE-22

Trust: 1.9

sources: VULHUB: VHN-65536 // JVNDB: JVNDB-2013-004816 // NVD: CVE-2013-5534

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201310-473

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-201310-473

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-004816

PATCH

title:	Cisco Unity Connection Directory Traversal Vulnerability	url:	http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5534	Trust: 0.8
title:	31352	url:	http://tools.cisco.com/security/center/viewAlert.x?alertId=31352	Trust: 0.8

sources: JVNDB: JVNDB-2013-004816

EXTERNAL IDS

db:	NVD	id:	CVE-2013-5534	Trust: 2.8
db:	JVNDB	id:	JVNDB-2013-004816	Trust: 0.8
db:	CNNVD	id:	CNNVD-201310-473	Trust: 0.7
db:	CISCO	id:	20131017 CISCO UNITY CONNECTION DIRECTORY TRAVERSAL VULNERABILITY	Trust: 0.6
db:	BID	id:	63206	Trust: 0.4
db:	VULHUB	id:	VHN-65536	Trust: 0.1

sources: VULHUB: VHN-65536 // BID: 63206 // JVNDB: JVNDB-2013-004816 // CNNVD: CNNVD-201310-473 // NVD: CVE-2013-5534

REFERENCES

url:	http://tools.cisco.com/security/center/content/ciscosecuritynotice/cve-2013-5534	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-5534	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-5534	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3
url:	http://www.cisco.com/en/us/products/ps6509/index.html	Trust: 0.3

sources: VULHUB: VHN-65536 // BID: 63206 // JVNDB: JVNDB-2013-004816 // CNNVD: CNNVD-201310-473 // NVD: CVE-2013-5534

CREDITS

Emerging Defense, LLC

Trust: 0.3

sources: BID: 63206

SOURCES

db:	VULHUB	id:	VHN-65536
db:	BID	id:	63206
db:	JVNDB	id:	JVNDB-2013-004816
db:	CNNVD	id:	CNNVD-201310-473
db:	NVD	id:	CVE-2013-5534

LAST UPDATE DATE

2024-11-23T22:13:51.383000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-65536	date:	2013-10-21T00:00:00
db:	BID	id:	63206	date:	2013-10-21T00:18:00
db:	JVNDB	id:	JVNDB-2013-004816	date:	2013-10-22T00:00:00
db:	CNNVD	id:	CNNVD-201310-473	date:	2013-10-21T00:00:00
db:	NVD	id:	CVE-2013-5534	date:	2024-11-21T01:57:39.413

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-65536	date:	2013-10-19T00:00:00
db:	BID	id:	63206	date:	2013-10-17T00:00:00
db:	JVNDB	id:	JVNDB-2013-004816	date:	2013-10-22T00:00:00
db:	CNNVD	id:	CNNVD-201310-473	date:	2013-10-21T00:00:00
db:	NVD	id:	CVE-2013-5534	date:	2013-10-19T10:36:08.167