Details of VAR-201509-0459

ID

VAR-201509-0459

CVE

CVE-2015-4304

TITLE

Cisco Prime Collaboration Assurance of Web Vulnerabilities that prevent access restrictions in the framework

Trust: 0.8

sources: JVNDB: JVNDB-2015-004936

DESCRIPTION

The web framework in Cisco Prime Collaboration Assurance before 10.5.1.53684-1 allows remote authenticated users to bypass intended access restrictions, and create administrative accounts or read data from arbitrary tenant domains, via a crafted URL, aka Bug IDs CSCus62671 and CSCus62652. Cisco Prime Collaboration Assurance is prone to a security-bypass vulnerability. Attackers can exploit this issue to bypass security restrictions to perform unauthorized actions; this may aid in launching further attacks. This issue is being tracked by Cisco Bug IDs CSCus62652 and CSCus62671. This solution supports simplified unified communication and video collaboration network management through a unified management console, and rapid deployment of communication sites. A remote attacker could exploit this vulnerability to access restricted functionality by sending a specially crafted URL

Trust: 1.98

sources: NVD: CVE-2015-4304 // JVNDB: JVNDB-2015-004936 // BID: 76761 // VULHUB: VHN-82265

AFFECTED PRODUCTS

vendor:	cisco	model:	prime collaboration assurance	scope:	eq	version:	10.5.1	Trust: 1.9
vendor:	cisco	model:	prime collaboration assurance	scope:	eq	version:	10.5.0	Trust: 1.6
vendor:	cisco	model:	prime collaboration assurance	scope:	eq	version:	10.0.0	Trust: 1.6
vendor:	cisco	model:	prime collaboration assurance	scope:	eq	version:	9.5.0	Trust: 1.6
vendor:	cisco	model:	prime collaboration assurance	scope:	eq	version:	10.6.0	Trust: 1.6
vendor:	cisco	model:	prime collaboration assurance	scope:	eq	version:	9.0.0	Trust: 1.6
vendor:	cisco	model:	prime collaboration assurance	scope:	eq	version:	10.0 .0	Trust: 0.8
vendor:	cisco	model:	prime collaboration assurance	scope:	eq	version:	10.5 .0	Trust: 0.8
vendor:	cisco	model:	prime collaboration assurance	scope:	eq	version:	10.5 .1	Trust: 0.8
vendor:	cisco	model:	prime collaboration assurance	scope:	eq	version:	10.6 .0	Trust: 0.8
vendor:	cisco	model:	prime collaboration assurance	scope:	eq	version:	9.0 .0	Trust: 0.8
vendor:	cisco	model:	prime collaboration assurance	scope:	eq	version:	9.5 .0	Trust: 0.8
vendor:	cisco	model:	prime collaboration assurance	scope:	eq	version:	10.6	Trust: 0.3
vendor:	cisco	model:	prime collaboration assurance	scope:	eq	version:	10.5	Trust: 0.3
vendor:	cisco	model:	prime collaboration assurance	scope:	eq	version:	10.0	Trust: 0.3
vendor:	cisco	model:	prime collaboration assurance	scope:	eq	version:	9.5	Trust: 0.3
vendor:	cisco	model:	prime collaboration assurance	scope:	eq	version:	9.0	Trust: 0.3
vendor:	cisco	model:	prime collaboration assurance msp	scope:	ne	version:	10.5.1	Trust: 0.3
vendor:	cisco	model:	prime collaboration assurance	scope:	ne	version:	11.0	Trust: 0.3

sources: BID: 76761 // JVNDB: JVNDB-2015-004936 // CNNVD: CNNVD-201509-244 // NVD: CVE-2015-4304

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-4304
value:	HIGH
Trust: 1.0
NVD:	CVE-2015-4304
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201509-244
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-82265
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2015-4304
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-82265
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-82265 // JVNDB: JVNDB-2015-004936 // CNNVD: CNNVD-201509-244 // NVD: CVE-2015-4304

PROBLEMTYPE DATA

problemtype:

CWE-264

Trust: 1.9

sources: VULHUB: VHN-82265 // JVNDB: JVNDB-2015-004936 // NVD: CVE-2015-4304

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201509-244

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201509-244

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-004936

PATCH

title:	cisco-sa-20150916-pca	url:	http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150916-pca	Trust: 0.8
title:	40519	url:	http://tools.cisco.com/security/center/viewAlert.x?alertId=40519	Trust: 0.8
title:	cisco-sa-20150916-pca	url:	http://www.cisco.com/cisco/web/support/JP/113/1135/1135304_cisco-sa-20150916-pca-j.html	Trust: 0.8

sources: JVNDB: JVNDB-2015-004936

EXTERNAL IDS

db:	NVD	id:	CVE-2015-4304	Trust: 2.8
db:	SECTRACK	id:	1033581	Trust: 1.1
db:	BID	id:	76761	Trust: 1.0
db:	JVNDB	id:	JVNDB-2015-004936	Trust: 0.8
db:	CNNVD	id:	CNNVD-201509-244	Trust: 0.7
db:	VULHUB	id:	VHN-82265	Trust: 0.1

sources: VULHUB: VHN-82265 // BID: 76761 // JVNDB: JVNDB-2015-004936 // CNNVD: CNNVD-201509-244 // NVD: CVE-2015-4304

REFERENCES

url:	http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20150916-pca	Trust: 2.0
url:	http://www.securitytracker.com/id/1033581	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-4304	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-4304	Trust: 0.8
url:	http://www.securityfocus.com/bid/76761	Trust: 0.6
url:	http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/collaboration/10-0/assurance/standard/guide/cisco_prime_collaboration_assurance_guide_standard_10/bk_assurance_standard_chapter_010.html	Trust: 0.3
url:	http://tools.cisco.com/security/center/viewalert.x?alertid=40519	Trust: 0.3

sources: VULHUB: VHN-82265 // BID: 76761 // JVNDB: JVNDB-2015-004936 // CNNVD: CNNVD-201509-244 // NVD: CVE-2015-4304

CREDITS

Cisco

Trust: 0.9

sources: BID: 76761 // CNNVD: CNNVD-201509-244

SOURCES

db:	VULHUB	id:	VHN-82265
db:	BID	id:	76761
db:	JVNDB	id:	JVNDB-2015-004936
db:	CNNVD	id:	CNNVD-201509-244
db:	NVD	id:	CVE-2015-4304

LAST UPDATE DATE

2024-11-23T22:07:58.988000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-82265	date:	2017-01-04T00:00:00
db:	BID	id:	76761	date:	2015-09-16T00:00:00
db:	JVNDB	id:	JVNDB-2015-004936	date:	2015-09-30T00:00:00
db:	CNNVD	id:	CNNVD-201509-244	date:	2015-09-24T00:00:00
db:	NVD	id:	CVE-2015-4304	date:	2024-11-21T02:30:48.230

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-82265	date:	2015-09-20T00:00:00
db:	BID	id:	76761	date:	2015-09-16T00:00:00
db:	JVNDB	id:	JVNDB-2015-004936	date:	2015-09-30T00:00:00
db:	CNNVD	id:	CNNVD-201509-244	date:	2015-09-18T00:00:00
db:	NVD	id:	CVE-2015-4304	date:	2015-09-20T01:59:00.097