Sign-up

ID

VAR-201509-0461


CVE

CVE-2015-4306


TITLE

Cisco Prime Collaboration Assurance of Web Vulnerability that circumvents login session read restrictions in the framework

Trust: 0.8

sources: JVNDB: JVNDB-2015-004938

DESCRIPTION

The web framework in Cisco Prime Collaboration Assurance before 10.5.1.53684-1 allows remote authenticated users to bypass intended login-session read restrictions, and impersonate administrators of arbitrary tenant domains, by discovering a session identifier and constructing a crafted URL, aka Bug IDs CSCus88343 and CSCus88334. Cisco Prime Collaboration Assurance is prone to a privilege-escalation vulnerability. An attacker can exploit this issue to gain elevated privileges on an affected device. This issue is being tracked by Cisco Bug IDs CSCus88343 and CSCus88334. This solution supports simplified unified communication and video collaboration network management through a unified management console, and rapid deployment of communication sites. A remote attacker can exploit this vulnerability by sending a specially crafted URL to obtain any user information logged into the system

Trust: 1.98

sources: NVD: CVE-2015-4306 // JVNDB: JVNDB-2015-004938 // BID: 76759 // VULHUB: VHN-82267

AFFECTED PRODUCTS

vendor:ciscomodel:prime collaboration assurancescope:eqversion:10.5.1

Trust: 1.9

vendor:ciscomodel:prime collaboration assurancescope:eqversion:10.5.0

Trust: 1.6

vendor:ciscomodel:prime collaboration assurancescope:eqversion:10.0.0

Trust: 1.6

vendor:ciscomodel:prime collaboration assurancescope:eqversion:9.5.0

Trust: 1.6

vendor:ciscomodel:prime collaboration assurancescope:eqversion:10.6.0

Trust: 1.6

vendor:ciscomodel:prime collaboration assurancescope:eqversion:9.0.0

Trust: 1.6

vendor:ciscomodel:prime collaboration assurancescope:eqversion:10.0 .0

Trust: 0.8

vendor:ciscomodel:prime collaboration assurancescope:eqversion:10.5 .0

Trust: 0.8

vendor:ciscomodel:prime collaboration assurancescope:eqversion:10.5 .1

Trust: 0.8

vendor:ciscomodel:prime collaboration assurancescope:eqversion:10.6 .0

Trust: 0.8

vendor:ciscomodel:prime collaboration assurancescope:eqversion:9.0 .0

Trust: 0.8

vendor:ciscomodel:prime collaboration assurancescope:eqversion:9.5 .0

Trust: 0.8

vendor:ciscomodel:prime collaboration assurancescope:eqversion:10.6

Trust: 0.3

vendor:ciscomodel:prime collaboration assurancescope:eqversion:10.5

Trust: 0.3

vendor:ciscomodel:prime collaboration assurancescope:eqversion:10.0

Trust: 0.3

vendor:ciscomodel:prime collaboration assurancescope:eqversion:9.5

Trust: 0.3

vendor:ciscomodel:prime collaboration assurancescope:eqversion:9.0

Trust: 0.3

vendor:ciscomodel:prime collaboration assurance mspscope:neversion:10.5.1

Trust: 0.3

vendor:ciscomodel:prime collaboration assurancescope:neversion:11.0

Trust: 0.3

sources: BID: 76759 // JVNDB: JVNDB-2015-004938 // CNNVD: CNNVD-201509-246 // NVD: CVE-2015-4306

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-4306
value: HIGH

Trust: 1.0

NVD: CVE-2015-4306
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201509-246
value: HIGH

Trust: 0.6

VULHUB: VHN-82267
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2015-4306
severity: HIGH
baseScore: 8.5
vectorString: AV:N/AC:M/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 6.8
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-82267
severity: HIGH
baseScore: 8.5
vectorString: AV:N/AC:M/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 6.8
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-82267 // JVNDB: JVNDB-2015-004938 // CNNVD: CNNVD-201509-246 // NVD: CVE-2015-4306

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.9

sources: VULHUB: VHN-82267 // JVNDB: JVNDB-2015-004938 // NVD: CVE-2015-4306

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201509-246

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201509-246

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-004938

PATCH
title:cisco-sa-20150916-pcaurl:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150916-pca
Trust: 0.8
title:40521url:http://tools.cisco.com/security/center/viewAlert.x?alertId=40521
Trust: 0.8
title:cisco-sa-20150916-pcaurl:http://www.cisco.com/cisco/web/support/JP/113/1135/1135304_cisco-sa-20150916-pca-j.html
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2015-004938

EXTERNAL IDS
db:NVDid:CVE-2015-4306
Trust: 2.8
db:SECTRACKid:1033581
Trust: 1.1
db:BIDid:76759
Trust: 1.0
db:JVNDBid:JVNDB-2015-004938
Trust: 0.8
db:CNNVDid:CNNVD-201509-246
Trust: 0.7
db:VULHUBid:VHN-82267
Trust: 0.1
sources:
            
            
            VULHUB: VHN-82267 // 
            
            
            
            BID: 76759 // 
            
            
            
            JVNDB: JVNDB-2015-004938 // 
            
            
            
            CNNVD: CNNVD-201509-246 // 
            
            
            
            NVD: CVE-2015-4306

REFERENCES
url:http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20150916-pca
Trust: 2.0
url:http://www.securitytracker.com/id/1033581
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-4306
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-4306
Trust: 0.8
url:http://www.securityfocus.com/bid/76759
Trust: 0.6
url:http://tools.cisco.com/security/center/viewalert.x?alertid=40521
Trust: 0.3
url:http://www.cisco.com/
Trust: 0.3
sources:
            
            
            VULHUB: VHN-82267 // 
            
            
            
            BID: 76759 // 
            
            
            
            JVNDB: JVNDB-2015-004938 // 
            
            
            
            CNNVD: CNNVD-201509-246 // 
            
            
            
            NVD: CVE-2015-4306

CREDITS
Cisco
Trust: 0.9
sources:
            
            
            BID: 76759 // 
            
            
            
            CNNVD: CNNVD-201509-246

SOURCES
db:VULHUBid:VHN-82267
db:BIDid:76759
db:JVNDBid:JVNDB-2015-004938
db:CNNVDid:CNNVD-201509-246
db:NVDid:CVE-2015-4306

LAST UPDATE DATE
2024-11-23T22:07:59.017000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-82267date:2017-01-04T00:00:00
db:BIDid:76759date:2015-09-16T00:00:00
db:JVNDBid:JVNDB-2015-004938date:2015-09-30T00:00:00
db:CNNVDid:CNNVD-201509-246date:2015-09-24T00:00:00
db:NVDid:CVE-2015-4306date:2024-11-21T02:30:48.457

SOURCES RELEASE DATE
db:VULHUBid:VHN-82267date:2015-09-20T00:00:00
db:BIDid:76759date:2015-09-16T00:00:00
db:JVNDBid:JVNDB-2015-004938date:2015-09-30T00:00:00
db:CNNVDid:CNNVD-201509-246date:2015-09-18T00:00:00
db:NVDid:CVE-2015-4306date:2015-09-20T01:59:03.113