Details of VAR-201402-0222

ID

VAR-201402-0222

CVE

CVE-2014-0740

TITLE

Cisco Unified Communications Manager of OS Administration Component cross-site request forgery vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2014-001495

DESCRIPTION

Cross-site request forgery (CSRF) vulnerability in the Call Detail Records Analysis and Reporting (CAR) interface in the OS Administration component in Cisco Unified Communications Manager (Unified CM) 10.0(1) and earlier allows remote attackers to hijack the authentication of administrators for requests that make administrative changes, aka Bug ID CSCun00701. Vendors have confirmed this vulnerability Bug ID CSCun00701 It is released as.A third party could hijack the administrator's credentials and make administrative changes. Exploiting this issue may allow a remote attacker to perform certain unauthorized actions in the context of the affected user. Other attacks are also possible. This issue is being tracked by Cisco bug ID CSCun00701. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution

Trust: 1.98

sources: NVD: CVE-2014-0740 // JVNDB: JVNDB-2014-001495 // BID: 65795 // VULHUB: VHN-68233

AFFECTED PRODUCTS

vendor:	cisco	model:	unified communications manager	scope:	eq	version:	4.3	Trust: 1.6
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	4.2.3sr2b	Trust: 1.6
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	4.2.1	Trust: 1.6
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	4.1\(3\)sr4	Trust: 1.6
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	4.2	Trust: 1.6
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	4.2.3	Trust: 1.6
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	4.2.3sr1	Trust: 1.6
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	4.2.3sr2	Trust: 1.6
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	4.1\(3\)sr3	Trust: 1.6
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	4.2.2	Trust: 1.6
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	3.3\(5\)	Trust: 1.0
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	3.3\(5\)sr2a	Trust: 1.0
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	3.3\(5\)sr1	Trust: 1.0
vendor:	cisco	model:	unified communications manager	scope:	lte	version:	10.0\(1\)	Trust: 1.0
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	4.1\(3\)sr2	Trust: 1.0
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	4.1\(3\)	Trust: 1.0
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	10.0	Trust: 1.0
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	4.1\(3\)sr1	Trust: 1.0
vendor:	cisco	model:	unified communications manager	scope:	lte	version:	10.0(1)	Trust: 0.8
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	0	Trust: 0.3

sources: BID: 65795 // JVNDB: JVNDB-2014-001495 // CNNVD: CNNVD-201402-425 // NVD: CVE-2014-0740

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-0740
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2014-0740
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201402-425
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-68233
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2014-0740
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-68233
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-68233 // JVNDB: JVNDB-2014-001495 // CNNVD: CNNVD-201402-425 // NVD: CVE-2014-0740

PROBLEMTYPE DATA

problemtype:

CWE-352

Trust: 1.9

sources: VULHUB: VHN-68233 // JVNDB: JVNDB-2014-001495 // NVD: CVE-2014-0740

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201402-425

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201402-425

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-001495

PATCH

title:	Cisco Unified Communications Manager OS Administration CSRF Vulnerability	url:	http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-0740	Trust: 0.8
title:	33049	url:	http://tools.cisco.com/security/center/viewAlert.x?alertId=33049	Trust: 0.8

sources: JVNDB: JVNDB-2014-001495

EXTERNAL IDS

db:	NVD	id:	CVE-2014-0740	Trust: 2.8
db:	SECTRACK	id:	1029843	Trust: 1.1
db:	JVNDB	id:	JVNDB-2014-001495	Trust: 0.8
db:	CNNVD	id:	CNNVD-201402-425	Trust: 0.7
db:	CISCO	id:	20140225 CISCO UNIFIED COMMUNICATIONS MANAGER OS ADMINISTRATION CSRF VULNERABILITY	Trust: 0.6
db:	SECUNIA	id:	57143	Trust: 0.6
db:	BID	id:	65795	Trust: 0.4
db:	VULHUB	id:	VHN-68233	Trust: 0.1

sources: VULHUB: VHN-68233 // BID: 65795 // JVNDB: JVNDB-2014-001495 // CNNVD: CNNVD-201402-425 // NVD: CVE-2014-0740

REFERENCES

url:	http://tools.cisco.com/security/center/content/ciscosecuritynotice/cve-2014-0740	Trust: 2.0
url:	http://tools.cisco.com/security/center/viewalert.x?alertid=33049	Trust: 1.7
url:	http://www.securitytracker.com/id/1029843	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0740	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-0740	Trust: 0.8
url:	http://secunia.com/advisories/57143	Trust: 0.6
url:	http://www.cisco.com/	Trust: 0.3

sources: VULHUB: VHN-68233 // BID: 65795 // JVNDB: JVNDB-2014-001495 // CNNVD: CNNVD-201402-425 // NVD: CVE-2014-0740

CREDITS

Cisco

Trust: 0.3

sources: BID: 65795

SOURCES

db:	VULHUB	id:	VHN-68233
db:	BID	id:	65795
db:	JVNDB	id:	JVNDB-2014-001495
db:	CNNVD	id:	CNNVD-201402-425
db:	NVD	id:	CVE-2014-0740

LAST UPDATE DATE

2024-11-23T22:46:07.884000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-68233	date:	2015-08-01T00:00:00
db:	BID	id:	65795	date:	2014-02-25T00:00:00
db:	JVNDB	id:	JVNDB-2014-001495	date:	2014-03-14T00:00:00
db:	CNNVD	id:	CNNVD-201402-425	date:	2014-02-28T00:00:00
db:	NVD	id:	CVE-2014-0740	date:	2024-11-21T02:02:43.383

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-68233	date:	2014-02-27T00:00:00
db:	BID	id:	65795	date:	2014-02-25T00:00:00
db:	JVNDB	id:	JVNDB-2014-001495	date:	2014-02-28T00:00:00
db:	CNNVD	id:	CNNVD-201402-425	date:	2014-02-28T00:00:00
db:	NVD	id:	CVE-2014-0740	date:	2014-02-27T01:55:03.290