Details of VAR-201604-0569

ID

VAR-201604-0569

CVE

CVE-2016-1377

TITLE

Cisco Unity Connection Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2016-002056

DESCRIPTION

Cross-site scripting (XSS) vulnerability in Cisco Unity Connection through 11.0 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCus21776. Cisco UnityConnection (UC) is a set of voice message platform from Cisco. The platform can use voice commands to make calls or listen to messages in a \342\200\234hands-free\342\200\235 manner. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCus21776

Trust: 2.52

sources: NVD: CVE-2016-1377 // JVNDB: JVNDB-2016-002056 // CNVD: CNVD-2016-02252 // BID: 86003 // VULHUB: VHN-90196

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2016-02252

AFFECTED PRODUCTS

vendor:	cisco	model:	unity connection	scope:	eq	version:	10.5\(2\)	Trust: 1.6
vendor:	cisco	model:	unity connection	scope:	eq	version:	10.0.0	Trust: 1.6
vendor:	cisco	model:	unity connection	scope:	eq	version:	10.5\(2.3009\)	Trust: 1.6
vendor:	cisco	model:	unity connection	scope:	eq	version:	11.0\(0.98000.225\)	Trust: 1.6
vendor:	cisco	model:	unity connection	scope:	eq	version:	11.0.0	Trust: 1.6
vendor:	cisco	model:	unity connection	scope:	eq	version:	10.0.5	Trust: 1.6
vendor:	cisco	model:	unity connection	scope:	lte	version:	11.0	Trust: 0.8
vendor:	cisco	model:	unity connection	scope:	lte	version:	<=11.0	Trust: 0.6
vendor:	cisco	model:	unity connection	scope:	eq	version:	8.6.2	Trust: 0.3
vendor:	cisco	model:	unity connection	scope:	eq	version:	8.6	Trust: 0.3
vendor:	cisco	model:	unity connection 8.5.1	scope:	-	version:	-	Trust: 0.3
vendor:	cisco	model:	unity connection	scope:	eq	version:	8.5	Trust: 0.3
vendor:	cisco	model:	unity connection	scope:	eq	version:	8.0(1)	Trust: 0.3
vendor:	cisco	model:	unity connection	scope:	eq	version:	8.0	Trust: 0.3
vendor:	cisco	model:	unity connection 7.1.5b	scope:	-	version:	-	Trust: 0.3
vendor:	cisco	model:	unity connection	scope:	eq	version:	7.1.5	Trust: 0.3
vendor:	cisco	model:	unity connection 7.1.3b	scope:	-	version:	-	Trust: 0.3
vendor:	cisco	model:	unity connection	scope:	eq	version:	7.1	Trust: 0.3

sources: CNVD: CNVD-2016-02252 // BID: 86003 // JVNDB: JVNDB-2016-002056 // CNNVD: CNNVD-201604-248 // NVD: CVE-2016-1377

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-1377
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2016-1377
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2016-02252
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201604-248
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-90196
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2016-1377
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2016-02252
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-90196
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-1377
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2016-02252 // VULHUB: VHN-90196 // JVNDB: JVNDB-2016-002056 // CNNVD: CNNVD-201604-248 // NVD: CVE-2016-1377

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-90196 // JVNDB: JVNDB-2016-002056 // NVD: CVE-2016-1377

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201604-248

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201604-248

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-002056

PATCH

title:	cisco-sa-20160412-unity	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160412-unity	Trust: 0.8
title:	Patch for CiscoUnityConnection Cross-Site Scripting Vulnerability (CNVD-2016-02252)	url:	https://www.cnvd.org.cn/patchInfo/show/74230	Trust: 0.6
title:	Cisco Unity Connection Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=60934	Trust: 0.6

sources: CNVD: CNVD-2016-02252 // JVNDB: JVNDB-2016-002056 // CNNVD: CNNVD-201604-248

EXTERNAL IDS

db:	NVD	id:	CVE-2016-1377	Trust: 3.4
db:	SECTRACK	id:	1035562	Trust: 1.1
db:	JVNDB	id:	JVNDB-2016-002056	Trust: 0.8
db:	CNNVD	id:	CNNVD-201604-248	Trust: 0.7
db:	CNVD	id:	CNVD-2016-02252	Trust: 0.6
db:	BID	id:	86003	Trust: 0.4
db:	VULHUB	id:	VHN-90196	Trust: 0.1

sources: CNVD: CNVD-2016-02252 // VULHUB: VHN-90196 // BID: 86003 // JVNDB: JVNDB-2016-002056 // CNNVD: CNNVD-201604-248 // NVD: CVE-2016-1377

REFERENCES

url:	http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20160412-unity	Trust: 2.3
url:	http://www.securitytracker.com/id/1035562	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-1377	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-1377	Trust: 0.8
url:	www.cisco.com	Trust: 0.3

sources: CNVD: CNVD-2016-02252 // VULHUB: VHN-90196 // BID: 86003 // JVNDB: JVNDB-2016-002056 // CNNVD: CNNVD-201604-248 // NVD: CVE-2016-1377

CREDITS

Cisco

Trust: 0.3

sources: BID: 86003

SOURCES

db:	CNVD	id:	CNVD-2016-02252
db:	VULHUB	id:	VHN-90196
db:	BID	id:	86003
db:	JVNDB	id:	JVNDB-2016-002056
db:	CNNVD	id:	CNNVD-201604-248
db:	NVD	id:	CVE-2016-1377

LAST UPDATE DATE

2024-11-23T22:49:15.330000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2016-02252	date:	2016-04-18T00:00:00
db:	VULHUB	id:	VHN-90196	date:	2016-12-03T00:00:00
db:	BID	id:	86003	date:	2016-04-12T00:00:00
db:	JVNDB	id:	JVNDB-2016-002056	date:	2016-04-15T00:00:00
db:	CNNVD	id:	CNNVD-201604-248	date:	2016-04-13T00:00:00
db:	NVD	id:	CVE-2016-1377	date:	2024-11-21T02:46:18.220

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2016-02252	date:	2016-04-16T00:00:00
db:	VULHUB	id:	VHN-90196	date:	2016-04-12T00:00:00
db:	BID	id:	86003	date:	2016-04-12T00:00:00
db:	JVNDB	id:	JVNDB-2016-002056	date:	2016-04-15T00:00:00
db:	CNNVD	id:	CNNVD-201604-248	date:	2016-04-13T00:00:00
db:	NVD	id:	CVE-2016-1377	date:	2016-04-12T23:59:35.587