Details of VAR-201404-0559

ID

VAR-201404-0559

CVE

CVE-2014-2180

TITLE

Cisco Unified Contact Center Express of Document Management Component upload vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2014-002264

DESCRIPTION

The Document Management component in Cisco Unified Contact Center Express does not properly validate a parameter, which allows remote authenticated users to upload files to arbitrary pathnames via a crafted HTTP request, aka Bug ID CSCun74133. An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. This issue is being tracked by Cisco Bug ID CSCun74133. Document Management is one of the document management applications. A remote attacker could exploit this vulnerability by sending a specially crafted HTTP request to upload any to any pathname

Trust: 2.07

sources: NVD: CVE-2014-2180 // JVNDB: JVNDB-2014-002264 // BID: 67102 // VULHUB: VHN-70119 // VULMON: CVE-2014-2180

AFFECTED PRODUCTS

vendor:	cisco	model:	unified contact center express editor software	scope:	eq	version:	-	Trust: 1.6
vendor:	cisco	model:	unified contact center enterprise	scope:	-	version:	-	Trust: 1.4
vendor:	cisco	model:	unified contact center enterprise	scope:	eq	version:	*	Trust: 1.0
vendor:	cisco	model:	unified contact center express	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	unified contact center express editor software	scope:	eq	version:	10.0(1)	Trust: 0.8

sources: JVNDB: JVNDB-2014-002264 // CNNVD: CNNVD-201404-565 // NVD: CVE-2014-2180

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-2180
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2014-2180
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201404-565
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-70119
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2014-2180
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2014-2180
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-70119
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-70119 // VULMON: CVE-2014-2180 // JVNDB: JVNDB-2014-002264 // CNNVD: CNNVD-201404-565 // NVD: CVE-2014-2180

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.9

sources: VULHUB: VHN-70119 // JVNDB: JVNDB-2014-002264 // NVD: CVE-2014-2180

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201404-565

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201404-565

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-002264

PATCH

title:	Cisco Unified Contact Center Express Arbitrary File Upload Vulnerability	url:	http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-2180	Trust: 0.8
title:	33989	url:	http://tools.cisco.com/security/center/viewAlert.x?alertId=33989	Trust: 0.8
title:	Cisco: Cisco Unified Contact Center Express Arbitrary File Upload Vulnerability	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=Cisco-SA-20140429-CVE-2014-2180	Trust: 0.1

sources: VULMON: CVE-2014-2180 // JVNDB: JVNDB-2014-002264

EXTERNAL IDS

db:	NVD	id:	CVE-2014-2180	Trust: 2.9
db:	JVNDB	id:	JVNDB-2014-002264	Trust: 0.8
db:	CNNVD	id:	CNNVD-201404-565	Trust: 0.7
db:	CISCO	id:	20140428 CISCO UNIFIED CONTACT CENTER EXPRESS ARBITRARY FILE UPLOAD VULNERABILITY	Trust: 0.6
db:	BID	id:	67102	Trust: 0.4
db:	VULHUB	id:	VHN-70119	Trust: 0.1
db:	VULMON	id:	CVE-2014-2180	Trust: 0.1

sources: VULHUB: VHN-70119 // VULMON: CVE-2014-2180 // BID: 67102 // JVNDB: JVNDB-2014-002264 // CNNVD: CNNVD-201404-565 // NVD: CVE-2014-2180

REFERENCES

url:	http://tools.cisco.com/security/center/content/ciscosecuritynotice/cve-2014-2180	Trust: 1.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-2180	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-2180	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/20.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20140429-cve-2014-2180	Trust: 0.1

sources: VULHUB: VHN-70119 // VULMON: CVE-2014-2180 // BID: 67102 // JVNDB: JVNDB-2014-002264 // CNNVD: CNNVD-201404-565 // NVD: CVE-2014-2180

CREDITS

Cisco

Trust: 0.3

sources: BID: 67102

SOURCES

db:	VULHUB	id:	VHN-70119
db:	VULMON	id:	CVE-2014-2180
db:	BID	id:	67102
db:	JVNDB	id:	JVNDB-2014-002264
db:	CNNVD	id:	CNNVD-201404-565
db:	NVD	id:	CVE-2014-2180

LAST UPDATE DATE

2024-11-23T23:09:23.558000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-70119	date:	2014-04-29T00:00:00
db:	VULMON	id:	CVE-2014-2180	date:	2014-04-29T00:00:00
db:	BID	id:	67102	date:	2014-05-02T00:50:00
db:	JVNDB	id:	JVNDB-2014-002264	date:	2014-04-30T00:00:00
db:	CNNVD	id:	CNNVD-201404-565	date:	2014-04-30T00:00:00
db:	NVD	id:	CVE-2014-2180	date:	2024-11-21T02:05:48.307

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-70119	date:	2014-04-29T00:00:00
db:	VULMON	id:	CVE-2014-2180	date:	2014-04-29T00:00:00
db:	BID	id:	67102	date:	2014-04-28T00:00:00
db:	JVNDB	id:	JVNDB-2014-002264	date:	2014-04-30T00:00:00
db:	CNNVD	id:	CNNVD-201404-565	date:	2014-04-30T00:00:00
db:	NVD	id:	CVE-2014-2180	date:	2014-04-29T10:37:03.967