Sign-up

ID

VAR-201410-0996


CVE

CVE-2014-3372


TITLE

Cisco Unified Communications Manager Server CCM reports Interface cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2014-005161

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in the CCM reports interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCuq90589. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCuq90589. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution. The vulnerability stems from the fact that the program does not correctly verify the parameters passed by the HTTP GET and POST methods. A remote attacker can exploit this vulnerability to inject arbitrary web script or HTML

Trust: 1.98

sources: NVD: CVE-2014-3372 // JVNDB: JVNDB-2014-005161 // BID: 70846 // VULHUB: VHN-71312

AFFECTED PRODUCTS

vendor:ciscomodel:unified communications managerscope:eqversion:*

Trust: 1.0

vendor:ciscomodel:unified communications managerscope:lteversion:9.1(2.10000.28)

Trust: 0.8

vendor:ciscomodel:unified communications managerscope: - version: -

Trust: 0.6

vendor:ciscomodel:unified communications managerscope:eqversion:8.6

Trust: 0.3

sources: BID: 70846 // JVNDB: JVNDB-2014-005161 // CNNVD: CNNVD-201410-1434 // NVD: CVE-2014-3372

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-3372
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-3372
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201410-1434
value: MEDIUM

Trust: 0.6

VULHUB: VHN-71312
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-3372
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-71312
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-71312 // JVNDB: JVNDB-2014-005161 // CNNVD: CNNVD-201410-1434 // NVD: CVE-2014-3372

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-71312 // JVNDB: JVNDB-2014-005161 // NVD: CVE-2014-3372

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201410-1434

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201410-1434

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-005161

PATCH
title:Cisco Unified Communications Manager Reports Interface Reflected Cross-Site Scripting Vulnerabilityurl:http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3372
Trust: 0.8
title:36292url:http://tools.cisco.com/security/center/viewAlert.x?alertId=36292
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2014-005161

EXTERNAL IDS
db:NVDid:CVE-2014-3372
Trust: 2.8
db:BIDid:70846
Trust: 1.4
db:SECUNIAid:61003
Trust: 1.1
db:SECTRACKid:1031159
Trust: 1.1
db:JVNDBid:JVNDB-2014-005161
Trust: 0.8
db:CNNVDid:CNNVD-201410-1434
Trust: 0.7
db:VULHUBid:VHN-71312
Trust: 0.1
sources:
            
            
            VULHUB: VHN-71312 // 
            
            
            
            BID: 70846 // 
            
            
            
            JVNDB: JVNDB-2014-005161 // 
            
            
            
            CNNVD: CNNVD-201410-1434 // 
            
            
            
            NVD: CVE-2014-3372

REFERENCES
url:http://tools.cisco.com/security/center/content/ciscosecuritynotice/cve-2014-3372
Trust: 1.7
url:http://www.securityfocus.com/bid/70846
Trust: 1.1
url:http://tools.cisco.com/security/center/viewalert.x?alertid=36292
Trust: 1.1
url:http://www.securitytracker.com/id/1031159
Trust: 1.1
url:http://secunia.com/advisories/61003
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/98404
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3372
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-3372
Trust: 0.8
url:http://www.cisco.com/
Trust: 0.3
sources:
            
            
            VULHUB: VHN-71312 // 
            
            
            
            BID: 70846 // 
            
            
            
            JVNDB: JVNDB-2014-005161 // 
            
            
            
            CNNVD: CNNVD-201410-1434 // 
            
            
            
            NVD: CVE-2014-3372

CREDITS
Cisco
Trust: 0.3
sources:
            
            
            BID: 70846

SOURCES
db:VULHUBid:VHN-71312
db:BIDid:70846
db:JVNDBid:JVNDB-2014-005161
db:CNNVDid:CNNVD-201410-1434
db:NVDid:CVE-2014-3372

LAST UPDATE DATE
2024-11-23T22:18:33.933000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-71312date:2017-08-29T00:00:00
db:BIDid:70846date:2014-11-04T00:03:00
db:JVNDBid:JVNDB-2014-005161date:2014-11-04T00:00:00
db:CNNVDid:CNNVD-201410-1434date:2014-11-02T00:00:00
db:NVDid:CVE-2014-3372date:2024-11-21T02:07:57.723

SOURCES RELEASE DATE
db:VULHUBid:VHN-71312date:2014-10-31T00:00:00
db:BIDid:70846date:2014-10-30T00:00:00
db:JVNDBid:JVNDB-2014-005161date:2014-11-04T00:00:00
db:CNNVDid:CNNVD-201410-1434date:2014-10-31T00:00:00
db:NVDid:CVE-2014-3372date:2014-10-31T10:55:02.097