Sign-up

ID

VAR-201610-0278


CVE

CVE-2016-6427


TITLE

Cisco Unified Contact Center Express Used in Unified Intelligence Center Vulnerable to cross-site request forgery

Trust: 0.8

sources: JVNDB: JVNDB-2016-005139

DESCRIPTION

Cross-site request forgery (CSRF) vulnerability in Cisco Unified Intelligence Center (CUIC) 8.5.4 through 9.1(1), as used in Unified Contact Center Express 10.0(1) through 11.0(1), allows remote attackers to hijack the authentication of arbitrary users, aka Bug IDs CSCuy75036 and CSCuy81654. Vendors have confirmed this vulnerability Bug ID CSCuy75036 ,and CSCuy81654 It is released as.A third party may be able to hijack the authentication of any user. Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible. This issue is being tracked by Cisco Bug IDs CSCuy75036 and CSCuy81654. Unified CCX is a customer relationship management component in a unified communication solution; CUIC is a set of web-based reporting platform

Trust: 1.98

sources: NVD: CVE-2016-6427 // JVNDB: JVNDB-2016-005139 // BID: 93418 // VULHUB: VHN-95247

AFFECTED PRODUCTS

vendor:ciscomodel:unified intelligence centerscope:eqversion:9.0\(2\)

Trust: 1.6

vendor:ciscomodel:unified intelligence centerscope:eqversion:8.5.4

Trust: 1.6

vendor:ciscomodel:unified contact center expressscope:eqversion:11.0\(1\)

Trust: 1.6

vendor:ciscomodel:unified contact center expressscope:eqversion:10.0\(1\)

Trust: 1.6

vendor:ciscomodel:unified contact center expressscope:eqversion:10.6\(1\)

Trust: 1.6

vendor:ciscomodel:unified intelligence centerscope:eqversion:9.1\(1\)

Trust: 1.6

vendor:ciscomodel:unified contact center expressscope:eqversion:10.5\(1\)

Trust: 1.6

vendor:ciscomodel:unified contact center expressscope:eqversion:10.0(1) to 11.0(1)

Trust: 0.8

vendor:ciscomodel:unified intelligence centerscope:eqversion:8.5.4 to 9.1(1)

Trust: 0.8

vendor:ciscomodel:unified intelligence centerscope:eqversion:0

Trust: 0.3

vendor:ciscomodel:unified contact center expressscope:eqversion:0

Trust: 0.3

sources: BID: 93418 // JVNDB: JVNDB-2016-005139 // CNNVD: CNNVD-201610-080 // NVD: CVE-2016-6427

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-6427
value: HIGH

Trust: 1.0

NVD: CVE-2016-6427
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201610-080
value: MEDIUM

Trust: 0.6

VULHUB: VHN-95247
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2016-6427
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-95247
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2016-6427
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-95247 // JVNDB: JVNDB-2016-005139 // CNNVD: CNNVD-201610-080 // NVD: CVE-2016-6427

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.9

sources: VULHUB: VHN-95247 // JVNDB: JVNDB-2016-005139 // NVD: CVE-2016-6427

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201610-080

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201610-080

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-005139

PATCH
title:cisco-sa-20161005-ucis3url:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-ucis3
Trust: 0.8
title:Cisco Unified Intelligence Center Fixes for cross-site request forgery vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=64508
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2016-005139 // 
            
            
            
            CNNVD: CNNVD-201610-080

EXTERNAL IDS
db:NVDid:CVE-2016-6427
Trust: 2.8
db:SECTRACKid:1036953
Trust: 1.7
db:BIDid:93418
Trust: 1.4
db:JVNDBid:JVNDB-2016-005139
Trust: 0.8
db:CNNVDid:CNNVD-201610-080
Trust: 0.7
db:VULHUBid:VHN-95247
Trust: 0.1
sources:
            
            
            VULHUB: VHN-95247 // 
            
            
            
            BID: 93418 // 
            
            
            
            JVNDB: JVNDB-2016-005139 // 
            
            
            
            CNNVD: CNNVD-201610-080 // 
            
            
            
            NVD: CVE-2016-6427

REFERENCES
url:http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20161005-ucis3
Trust: 2.0
url:http://www.securityfocus.com/bid/93418
Trust: 1.1
url:http://www.securitytracker.com/id/1036953
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-6427
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-6427
Trust: 0.8
url:http://securitytracker.com/id/1036953
Trust: 0.6
url:http://www.cisco.com
Trust: 0.3
sources:
            
            
            VULHUB: VHN-95247 // 
            
            
            
            BID: 93418 // 
            
            
            
            JVNDB: JVNDB-2016-005139 // 
            
            
            
            CNNVD: CNNVD-201610-080 // 
            
            
            
            NVD: CVE-2016-6427

CREDITS
Cisco
Trust: 0.3
sources:
            
            
            BID: 93418

SOURCES
db:VULHUBid:VHN-95247
db:BIDid:93418
db:JVNDBid:JVNDB-2016-005139
db:CNNVDid:CNNVD-201610-080
db:NVDid:CVE-2016-6427

LAST UPDATE DATE
2024-11-23T22:30:56.866000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-95247date:2017-07-30T00:00:00
db:BIDid:93418date:2016-10-10T00:05:00
db:JVNDBid:JVNDB-2016-005139date:2016-10-12T00:00:00
db:CNNVDid:CNNVD-201610-080date:2016-10-11T00:00:00
db:NVDid:CVE-2016-6427date:2024-11-21T02:56:06.580

SOURCES RELEASE DATE
db:VULHUBid:VHN-95247date:2016-10-06T00:00:00
db:BIDid:93418date:2016-10-05T00:00:00
db:JVNDBid:JVNDB-2016-005139date:2016-10-12T00:00:00
db:CNNVDid:CNNVD-201610-080date:2016-10-11T00:00:00
db:NVDid:CVE-2016-6427date:2016-10-06T10:59:12.227