Details of VAR-201610-0289

ID

VAR-201610-0289

CVE

CVE-2016-6440

TITLE

Cisco Unified Communications Manager Vulnerable to a clickjacking attack

Trust: 0.8

sources: JVNDB: JVNDB-2016-005695

DESCRIPTION

The Cisco Unified Communications Manager (CUCM) may be vulnerable to data that can be displayed inside an iframe within a web page, which in turn could lead to a clickjacking attack. More Information: CSCuz64683 CSCuz64698. Known Affected Releases: 11.0(1.10000.10), 11.5(1.10000.6), 11.5(0.99838.4). Known Fixed Releases: 11.0(1.22048.1), 11.5(0.98000.1070), 11.5(0.98000.284)11.5(0.98000.346), 11.5(0.98000.768), 11.5(1.10000.3), 11.5(1.10000.6), 11.5(2.10000.2). Vendors have confirmed this vulnerability Bug ID CSCuz64683 and CSCuz64698 It is released as.A clickjacking attack may be performed. Other attacks are also possible. This issue being tracked by Cisco Bug IDs CSCuz64683 and CSCuz64698. Cisco Unified Communications Manager (CUCM, Unified CM, CallManager) is a call processing component in a unified communication system of Cisco (Cisco). This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution. There is a clickjacking attack vulnerability in CUCM

Trust: 1.98

sources: NVD: CVE-2016-6440 // JVNDB: JVNDB-2016-005695 // BID: 93521 // VULHUB: VHN-95260

AFFECTED PRODUCTS

vendor:	cisco	model:	unified communications manager	scope:	eq	version:	11.5\(0.99838.4\)	Trust: 1.6
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	11.5(0.99838.4)	Trust: 0.8
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	-	Trust: 0.3

sources: BID: 93521 // JVNDB: JVNDB-2016-005695 // CNNVD: CNNVD-201610-805 // NVD: CVE-2016-6440

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-6440
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2016-6440
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201610-805
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-95260
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2016-6440
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-95260
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-6440
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-95260 // JVNDB: JVNDB-2016-005695 // CNNVD: CNNVD-201610-805 // NVD: CVE-2016-6440

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.9

sources: VULHUB: VHN-95260 // JVNDB: JVNDB-2016-005695 // NVD: CVE-2016-6440

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201610-805

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201610-805

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-005695

PATCH

title:	cisco-sa-20161012-ucm	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161012-ucm	Trust: 0.8
title:	Cisco Unified Communications Manager Click on the fix for the hijacking attack vulnerability	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=65140	Trust: 0.6

sources: JVNDB: JVNDB-2016-005695 // CNNVD: CNNVD-201610-805

EXTERNAL IDS

db:	NVD	id:	CVE-2016-6440	Trust: 2.8
db:	BID	id:	93521	Trust: 1.4
db:	SECTRACK	id:	1037005	Trust: 1.1
db:	JVNDB	id:	JVNDB-2016-005695	Trust: 0.8
db:	CNNVD	id:	CNNVD-201610-805	Trust: 0.7
db:	VULHUB	id:	VHN-95260	Trust: 0.1

sources: VULHUB: VHN-95260 // BID: 93521 // JVNDB: JVNDB-2016-005695 // CNNVD: CNNVD-201610-805 // NVD: CVE-2016-6440

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20161012-ucm	Trust: 2.0
url:	http://www.securityfocus.com/bid/93521	Trust: 1.1
url:	http://www.securitytracker.com/id/1037005	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-6440	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-6440	Trust: 0.8
url:	http://www.cisco.com	Trust: 0.3

sources: VULHUB: VHN-95260 // BID: 93521 // JVNDB: JVNDB-2016-005695 // CNNVD: CNNVD-201610-805 // NVD: CVE-2016-6440

CREDITS

Cisco

Trust: 0.3

sources: BID: 93521

SOURCES

db:	VULHUB	id:	VHN-95260
db:	BID	id:	93521
db:	JVNDB	id:	JVNDB-2016-005695
db:	CNNVD	id:	CNNVD-201610-805
db:	NVD	id:	CVE-2016-6440

LAST UPDATE DATE

2024-11-23T22:13:13.308000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-95260	date:	2017-07-29T00:00:00
db:	BID	id:	93521	date:	2016-10-26T02:05:00
db:	JVNDB	id:	JVNDB-2016-005695	date:	2016-11-04T00:00:00
db:	CNNVD	id:	CNNVD-201610-805	date:	2016-10-28T00:00:00
db:	NVD	id:	CVE-2016-6440	date:	2024-11-21T02:56:08.277

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-95260	date:	2016-10-27T00:00:00
db:	BID	id:	93521	date:	2016-10-12T00:00:00
db:	JVNDB	id:	JVNDB-2016-005695	date:	2016-11-04T00:00:00
db:	CNNVD	id:	CNNVD-201610-805	date:	2016-10-28T00:00:00
db:	NVD	id:	CVE-2016-6440	date:	2016-10-27T21:59:12.577