Sign-up

ID

VAR-201410-0998


CVE

CVE-2014-3374


TITLE

Cisco Unified Communications Manager Server CCM admin Interface cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2014-005163

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in the CCM admin interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCuq90582. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCuq90582. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution. The vulnerability stems from the fact that the program does not correctly verify the parameters passed by the HTTP GET and POST methods. A remote attacker can exploit this vulnerability to inject arbitrary web script or HTML

Trust: 1.98

sources: NVD: CVE-2014-3374 // JVNDB: JVNDB-2014-005163 // BID: 70849 // VULHUB: VHN-71314

AFFECTED PRODUCTS

vendor:ciscomodel:unified communications managerscope:eqversion:*

Trust: 1.0

vendor:ciscomodel:unified communications managerscope:lteversion:9.1(2.10000.28)

Trust: 0.8

vendor:ciscomodel:unified communications managerscope: - version: -

Trust: 0.6

sources: JVNDB: JVNDB-2014-005163 // CNNVD: CNNVD-201410-1436 // NVD: CVE-2014-3374

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-3374
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-3374
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201410-1436
value: MEDIUM

Trust: 0.6

VULHUB: VHN-71314
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-3374
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-71314
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-71314 // JVNDB: JVNDB-2014-005163 // CNNVD: CNNVD-201410-1436 // NVD: CVE-2014-3374

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-71314 // JVNDB: JVNDB-2014-005163 // NVD: CVE-2014-3374

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201410-1436

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201410-1436

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-005163

PATCH
title:Cisco Unified Communications Manager Admin Interface Reflected Cross-Site Scripting Vulnerabilityurl:http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3374
Trust: 0.8
title:36295url:http://tools.cisco.com/security/center/viewAlert.x?alertId=36295
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2014-005163

EXTERNAL IDS
db:NVDid:CVE-2014-3374
Trust: 2.8
db:BIDid:70849
Trust: 1.4
db:SECUNIAid:59696
Trust: 1.1
db:SECTRACKid:1031162
Trust: 1.1
db:JVNDBid:JVNDB-2014-005163
Trust: 0.8
db:CNNVDid:CNNVD-201410-1436
Trust: 0.7
db:VULHUBid:VHN-71314
Trust: 0.1
sources:
            
            
            VULHUB: VHN-71314 // 
            
            
            
            BID: 70849 // 
            
            
            
            JVNDB: JVNDB-2014-005163 // 
            
            
            
            CNNVD: CNNVD-201410-1436 // 
            
            
            
            NVD: CVE-2014-3374

REFERENCES
url:http://tools.cisco.com/security/center/content/ciscosecuritynotice/cve-2014-3374
Trust: 1.7
url:http://www.securityfocus.com/bid/70849
Trust: 1.1
url:http://tools.cisco.com/security/center/viewalert.x?alertid=36295
Trust: 1.1
url:http://www.securitytracker.com/id/1031162
Trust: 1.1
url:http://secunia.com/advisories/59696
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/98407
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3374
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-3374
Trust: 0.8
url:http://www.cisco.com/
Trust: 0.3
sources:
            
            
            VULHUB: VHN-71314 // 
            
            
            
            BID: 70849 // 
            
            
            
            JVNDB: JVNDB-2014-005163 // 
            
            
            
            CNNVD: CNNVD-201410-1436 // 
            
            
            
            NVD: CVE-2014-3374

CREDITS
Cisco
Trust: 0.3
sources:
            
            
            BID: 70849

SOURCES
db:VULHUBid:VHN-71314
db:BIDid:70849
db:JVNDBid:JVNDB-2014-005163
db:CNNVDid:CNNVD-201410-1436
db:NVDid:CVE-2014-3374

LAST UPDATE DATE
2024-11-23T22:49:25.884000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-71314date:2017-08-29T00:00:00
db:BIDid:70849date:2014-10-30T00:00:00
db:JVNDBid:JVNDB-2014-005163date:2014-11-04T00:00:00
db:CNNVDid:CNNVD-201410-1436date:2014-11-02T00:00:00
db:NVDid:CVE-2014-3374date:2024-11-21T02:07:57.947

SOURCES RELEASE DATE
db:VULHUBid:VHN-71314date:2014-10-31T00:00:00
db:BIDid:70849date:2014-10-30T00:00:00
db:JVNDBid:JVNDB-2014-005163date:2014-11-04T00:00:00
db:CNNVDid:CNNVD-201410-1436date:2014-10-31T00:00:00
db:NVDid:CVE-2014-3374date:2014-10-31T10:55:02.190