Details of VAR-201702-0796

ID

VAR-201702-0796

CVE

CVE-2017-3833

TITLE

Cisco Unified Communications Manager of Web Cross-site scripting vulnerability in the framework

Trust: 0.8

sources: JVNDB: JVNDB-2017-001684

DESCRIPTION

A vulnerability in the web framework of Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface of the affected software. More Information: CSCvb95951. Known Affected Releases: 12.0(0.99999.2). Known Fixed Releases: 11.0(1.23064.1) 11.5(1.12031.1) 11.5(1.12900.21) 11.5(1.12900.7) 11.5(1.12900.8) 11.6(1.10000.4) 12.0(0.98000.155) 12.0(0.98000.178) 12.0(0.98000.366) 12.0(0.98000.367) 12.0(0.98000.468) 12.0(0.98000.469) 12.0(0.98000.536) 12.0(0.98000.6) 12.0(0.98500.6). An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCvb95951. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution

Trust: 1.98

sources: NVD: CVE-2017-3833 // JVNDB: JVNDB-2017-001684 // BID: 96246 // VULHUB: VHN-112036

AFFECTED PRODUCTS

vendor:	cisco	model:	unified communications manager	scope:	eq	version:	12.0\(0.99999.2\)	Trust: 1.6
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	12.0(0.99999.2)	Trust: 1.1

sources: BID: 96246 // JVNDB: JVNDB-2017-001684 // CNNVD: CNNVD-201702-666 // NVD: CVE-2017-3833

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-3833
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-3833
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201702-666
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-112036
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-3833
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-112036
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-3833
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-112036 // JVNDB: JVNDB-2017-001684 // CNNVD: CNNVD-201702-666 // NVD: CVE-2017-3833

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-112036 // JVNDB: JVNDB-2017-001684 // NVD: CVE-2017-3833

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201702-666

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201702-666

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-001684

PATCH

title:	cisco-sa-20170215-ucm	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-ucm	Trust: 0.8
title:	Cisco Unified Communications Manager Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=68165	Trust: 0.6

sources: JVNDB: JVNDB-2017-001684 // CNNVD: CNNVD-201702-666

EXTERNAL IDS

db:	NVD	id:	CVE-2017-3833	Trust: 2.8
db:	BID	id:	96246	Trust: 2.0
db:	JVNDB	id:	JVNDB-2017-001684	Trust: 0.8
db:	CNNVD	id:	CNNVD-201702-666	Trust: 0.7
db:	VULHUB	id:	VHN-112036	Trust: 0.1

sources: VULHUB: VHN-112036 // BID: 96246 // JVNDB: JVNDB-2017-001684 // CNNVD: CNNVD-201702-666 // NVD: CVE-2017-3833

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20170215-ucm	Trust: 2.0
url:	http://www.securityfocus.com/bid/96246	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-3833	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2017-3833	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3

sources: VULHUB: VHN-112036 // BID: 96246 // JVNDB: JVNDB-2017-001684 // CNNVD: CNNVD-201702-666 // NVD: CVE-2017-3833

CREDITS

Cisco

Trust: 0.9

sources: BID: 96246 // CNNVD: CNNVD-201702-666

SOURCES

db:	VULHUB	id:	VHN-112036
db:	BID	id:	96246
db:	JVNDB	id:	JVNDB-2017-001684
db:	CNNVD	id:	CNNVD-201702-666
db:	NVD	id:	CVE-2017-3833

LAST UPDATE DATE

2024-11-23T22:42:13.845000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-112036	date:	2017-03-01T00:00:00
db:	BID	id:	96246	date:	2017-03-07T04:02:00
db:	JVNDB	id:	JVNDB-2017-001684	date:	2017-03-13T00:00:00
db:	CNNVD	id:	CNNVD-201702-666	date:	2017-02-21T00:00:00
db:	NVD	id:	CVE-2017-3833	date:	2024-11-21T03:26:12.400

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-112036	date:	2017-02-22T00:00:00
db:	BID	id:	96246	date:	2017-02-15T00:00:00
db:	JVNDB	id:	JVNDB-2017-001684	date:	2017-03-13T00:00:00
db:	CNNVD	id:	CNNVD-201702-666	date:	2017-02-21T00:00:00
db:	NVD	id:	CVE-2017-3833	date:	2017-02-22T02:59:00.357