Details of VAR-201410-0997

ID

VAR-201410-0997

CVE

CVE-2014-3373

TITLE

Cisco Unified Communications Manager Server CCM Dialed Number Analyzer Interface cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2014-005162

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in the CCM Dialed Number Analyzer interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCup92550. Vendors have confirmed this vulnerability Bug ID CSCup92550 It is released as.By any third party through unspecified parameters Web Script or HTML May be inserted. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCup92550. Cisco Unified Communications Manager (CUCM, Unified CM, CallManager) is a call processing component in a unified communication system of Cisco (Cisco). This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution. The vulnerability stems from the fact that the program does not properly verify the parameters passed by the HTTP GET and POST methods. A remote attacker can exploit this vulnerability to inject arbitrary web script or HTML

Trust: 1.98

sources: NVD: CVE-2014-3373 // JVNDB: JVNDB-2014-005162 // BID: 70848 // VULHUB: VHN-71313

AFFECTED PRODUCTS

vendor:	cisco	model:	unified communications manager	scope:	eq	version:	*	Trust: 1.0
vendor:	cisco	model:	unified communications manager	scope:	lte	version:	9.1(2.10000.28)	Trust: 0.8
vendor:	cisco	model:	unified communications manager	scope:	-	version:	-	Trust: 0.6

sources: JVNDB: JVNDB-2014-005162 // CNNVD: CNNVD-201410-1435 // NVD: CVE-2014-3373

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-3373
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2014-3373
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201410-1435
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-71313
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2014-3373
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-71313
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-71313 // JVNDB: JVNDB-2014-005162 // CNNVD: CNNVD-201410-1435 // NVD: CVE-2014-3373

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-71313 // JVNDB: JVNDB-2014-005162 // NVD: CVE-2014-3373

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201410-1435

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201410-1435

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-005162

PATCH

title:	Cisco Unified Communications Manager DNA Interface Reflected Cross-Site Scripting Vulnerability	url:	http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3373	Trust: 0.8
title:	36294	url:	http://tools.cisco.com/security/center/viewAlert.x?alertId=36294	Trust: 0.8

sources: JVNDB: JVNDB-2014-005162

EXTERNAL IDS

db:	NVD	id:	CVE-2014-3373	Trust: 2.8
db:	BID	id:	70848	Trust: 1.4
db:	SECTRACK	id:	1031161	Trust: 1.1
db:	SECUNIA	id:	59692	Trust: 1.1
db:	JVNDB	id:	JVNDB-2014-005162	Trust: 0.8
db:	CNNVD	id:	CNNVD-201410-1435	Trust: 0.7
db:	VULHUB	id:	VHN-71313	Trust: 0.1

sources: VULHUB: VHN-71313 // BID: 70848 // JVNDB: JVNDB-2014-005162 // CNNVD: CNNVD-201410-1435 // NVD: CVE-2014-3373

REFERENCES

url:	http://tools.cisco.com/security/center/content/ciscosecuritynotice/cve-2014-3373	Trust: 1.7
url:	http://www.securityfocus.com/bid/70848	Trust: 1.1
url:	http://tools.cisco.com/security/center/viewalert.x?alertid=36294	Trust: 1.1
url:	http://www.securitytracker.com/id/1031161	Trust: 1.1
url:	http://secunia.com/advisories/59692	Trust: 1.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/98406	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3373	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-3373	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3

sources: VULHUB: VHN-71313 // BID: 70848 // JVNDB: JVNDB-2014-005162 // CNNVD: CNNVD-201410-1435 // NVD: CVE-2014-3373

CREDITS

Cisco

Trust: 0.3

sources: BID: 70848

SOURCES

db:	VULHUB	id:	VHN-71313
db:	BID	id:	70848
db:	JVNDB	id:	JVNDB-2014-005162
db:	CNNVD	id:	CNNVD-201410-1435
db:	NVD	id:	CVE-2014-3373

LAST UPDATE DATE

2024-11-23T23:09:21.661000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-71313	date:	2017-08-29T00:00:00
db:	BID	id:	70848	date:	2014-11-04T07:03:00
db:	JVNDB	id:	JVNDB-2014-005162	date:	2014-11-04T00:00:00
db:	CNNVD	id:	CNNVD-201410-1435	date:	2014-11-02T00:00:00
db:	NVD	id:	CVE-2014-3373	date:	2024-11-21T02:07:57.833

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-71313	date:	2014-10-31T00:00:00
db:	BID	id:	70848	date:	2014-10-30T00:00:00
db:	JVNDB	id:	JVNDB-2014-005162	date:	2014-11-04T00:00:00
db:	CNNVD	id:	CNNVD-201410-1435	date:	2014-10-31T00:00:00
db:	NVD	id:	CVE-2014-3373	date:	2014-10-31T10:55:02.143