Details of VAR-201610-0277

ID

VAR-201610-0277

CVE

CVE-2016-6426

TITLE

Cisco Unified Contact Center Express Used in Unified Intelligence Center Vulnerable to user account creation

Trust: 0.8

sources: JVNDB: JVNDB-2016-005163

DESCRIPTION

The j_spring_security_switch_user function in Cisco Unified Intelligence Center (CUIC) 8.5.4 through 9.1(1), as used in Unified Contact Center Express 10.0(1) through 11.0(1), allows remote attackers to create user accounts by visiting an unspecified web page, aka Bug IDs CSCuy75027 and CSCuy81653. Vendors have confirmed this vulnerability Bug ID CSCuy75027 ,and CSCuy81653 It is released as.Unspecified by a third party Web By accessing the page, a user account may be created. Successful exploits may allow an attacker to bypass certain security restrictions to perform unauthorized actions. This may aid in further attacks. This issue is tracked by Cisco Bug IDs CSCuy75027 and CSCuy81653. Unified CCX is a customer relationship management component in a unified communication solution; CUIC is a set of web-based reporting platform. A remote attacker could exploit this vulnerability by visiting a page to create user accounts

Trust: 1.98

sources: NVD: CVE-2016-6426 // JVNDB: JVNDB-2016-005163 // BID: 93420 // VULHUB: VHN-95246

AFFECTED PRODUCTS

vendor:	cisco	model:	unified intelligence center	scope:	eq	version:	9.0\(2\)	Trust: 1.6
vendor:	cisco	model:	unified intelligence center	scope:	eq	version:	8.5.4	Trust: 1.6
vendor:	cisco	model:	unified contact center express	scope:	eq	version:	11.0\(1\)	Trust: 1.6
vendor:	cisco	model:	unified contact center express	scope:	eq	version:	10.0\(1\)	Trust: 1.6
vendor:	cisco	model:	unified contact center express	scope:	eq	version:	10.6\(1\)	Trust: 1.6
vendor:	cisco	model:	unified intelligence center	scope:	eq	version:	9.1\(1\)	Trust: 1.6
vendor:	cisco	model:	unified contact center express	scope:	eq	version:	10.5\(1\)	Trust: 1.6
vendor:	cisco	model:	unified contact center express	scope:	eq	version:	10.0(1) to 11.0(1)	Trust: 0.8
vendor:	cisco	model:	unified intelligence center	scope:	eq	version:	8.5.4 to 9.1(1)	Trust: 0.8
vendor:	cisco	model:	unified intelligence center	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	unified contact center express	scope:	eq	version:	0	Trust: 0.3

sources: BID: 93420 // JVNDB: JVNDB-2016-005163 // CNNVD: CNNVD-201610-081 // NVD: CVE-2016-6426

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-6426
value:	HIGH
Trust: 1.0
NVD:	CVE-2016-6426
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201610-081
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-95246
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2016-6426
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-95246
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-6426
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-95246 // JVNDB: JVNDB-2016-005163 // CNNVD: CNNVD-201610-081 // NVD: CVE-2016-6426

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.9

sources: VULHUB: VHN-95246 // JVNDB: JVNDB-2016-005163 // NVD: CVE-2016-6426

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201610-081

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201610-081

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-005163

PATCH

title:	cisco-sa-20161005-ucis2	url:	http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-ucis2	Trust: 0.8
title:	Cisco Unified Intelligence Center Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=64509	Trust: 0.6

sources: JVNDB: JVNDB-2016-005163 // CNNVD: CNNVD-201610-081

EXTERNAL IDS

db:	NVD	id:	CVE-2016-6426	Trust: 2.8
db:	SECTRACK	id:	1036952	Trust: 1.7
db:	BID	id:	93420	Trust: 1.4
db:	JVNDB	id:	JVNDB-2016-005163	Trust: 0.8
db:	CNNVD	id:	CNNVD-201610-081	Trust: 0.7
db:	VULHUB	id:	VHN-95246	Trust: 0.1

sources: VULHUB: VHN-95246 // BID: 93420 // JVNDB: JVNDB-2016-005163 // CNNVD: CNNVD-201610-081 // NVD: CVE-2016-6426

REFERENCES

url:	http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20161005-ucis2	Trust: 2.0
url:	http://www.securityfocus.com/bid/93420	Trust: 1.1
url:	http://www.securitytracker.com/id/1036952	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-6426	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-6426	Trust: 0.8
url:	http://securitytracker.com/id/1036952	Trust: 0.6
url:	http://www.cisco.com/	Trust: 0.3

sources: VULHUB: VHN-95246 // BID: 93420 // JVNDB: JVNDB-2016-005163 // CNNVD: CNNVD-201610-081 // NVD: CVE-2016-6426

CREDITS

Cisco

Trust: 0.3

sources: BID: 93420

SOURCES

db:	VULHUB	id:	VHN-95246
db:	BID	id:	93420
db:	JVNDB	id:	JVNDB-2016-005163
db:	CNNVD	id:	CNNVD-201610-081
db:	NVD	id:	CVE-2016-6426

LAST UPDATE DATE

2024-11-23T22:52:38.940000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-95246	date:	2017-07-30T00:00:00
db:	BID	id:	93420	date:	2016-10-10T00:05:00
db:	JVNDB	id:	JVNDB-2016-005163	date:	2016-10-13T00:00:00
db:	CNNVD	id:	CNNVD-201610-081	date:	2016-10-11T00:00:00
db:	NVD	id:	CVE-2016-6426	date:	2024-11-21T02:56:06.463

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-95246	date:	2016-10-05T00:00:00
db:	BID	id:	93420	date:	2016-10-05T00:00:00
db:	JVNDB	id:	JVNDB-2016-005163	date:	2016-10-13T00:00:00
db:	CNNVD	id:	CNNVD-201610-081	date:	2016-10-11T00:00:00
db:	NVD	id:	CVE-2016-6426	date:	2016-10-05T21:59:00.180