Sign-up

ID

VAR-201703-0885


CVE

CVE-2017-3872


TITLE

Cisco Unified Communications Manager of Web -Based scripting interface cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-002461

DESCRIPTION

A cross-site scripting (XSS) filter bypass vulnerability in the web-based management interface of Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to conduct XSS attacks against a user of an affected device. More Information: CSCvc21620. Known Affected Releases: 10.5(2.14076.1). Known Fixed Releases: 12.0(0.98000.641) 12.0(0.98000.500) 12.0(0.98000.219). An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCvc21620. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution

Trust: 2.07

sources: NVD: CVE-2017-3872 // JVNDB: JVNDB-2017-002461 // BID: 96916 // VULHUB: VHN-112075 // VULMON: CVE-2017-3872

AFFECTED PRODUCTS

vendor:ciscomodel:unified communications managerscope:eqversion:10.5\(2.14076.1\)

Trust: 1.6

vendor:ciscomodel:unified communications managerscope:eqversion:11.0\(1.10000.10\)

Trust: 1.0

vendor:ciscomodel:unified communications managerscope:eqversion:10.5\(2.10000.5\)

Trust: 1.0

vendor:ciscomodel:unified communications managerscope:eqversion:11.5\(1.10000.6\)

Trust: 1.0

vendor:ciscomodel:unified communications managerscope:eqversion:10.5(2.14076.1)

Trust: 0.8

vendor:ciscomodel:unified communications managerscope:eqversion:0

Trust: 0.3

sources: BID: 96916 // JVNDB: JVNDB-2017-002461 // CNNVD: CNNVD-201703-679 // NVD: CVE-2017-3872

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-3872
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-3872
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201703-679
value: MEDIUM

Trust: 0.6

VULHUB: VHN-112075
value: MEDIUM

Trust: 0.1

VULMON: CVE-2017-3872
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-3872
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-112075
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-3872
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-112075 // VULMON: CVE-2017-3872 // JVNDB: JVNDB-2017-002461 // CNNVD: CNNVD-201703-679 // NVD: CVE-2017-3872

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-112075 // JVNDB: JVNDB-2017-002461 // NVD: CVE-2017-3872

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201703-679

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201703-679

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-002461

PATCH
title:cisco-sa-20170315-ucmurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170315-ucm
Trust: 0.8
title:Cisco Unified Communications Manager Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=68423
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2017-002461 // 
            
            
            
            CNNVD: CNNVD-201703-679

EXTERNAL IDS
db:NVDid:CVE-2017-3872
Trust: 2.9
db:BIDid:96916
Trust: 2.1
db:SECTRACKid:1038036
Trust: 1.8
db:JVNDBid:JVNDB-2017-002461
Trust: 0.8
db:CNNVDid:CNNVD-201703-679
Trust: 0.7
db:VULHUBid:VHN-112075
Trust: 0.1
db:VULMONid:CVE-2017-3872
Trust: 0.1
sources:
            
            
            VULHUB: VHN-112075 // 
            
            
            
            VULMON: CVE-2017-3872 // 
            
            
            
            BID: 96916 // 
            
            
            
            JVNDB: JVNDB-2017-002461 // 
            
            
            
            CNNVD: CNNVD-201703-679 // 
            
            
            
            NVD: CVE-2017-3872

REFERENCES
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20170315-ucm
Trust: 2.1
url:http://www.securityfocus.com/bid/96916
Trust: 1.9
url:http://www.securitytracker.com/id/1038036
Trust: 1.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-3872
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-3872
Trust: 0.8
url:http://www.cisco.com/
Trust: 0.3
url:http://www.cisco.com/en/us/products/sw/voicesw/ps556/index.html
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/79.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            VULHUB: VHN-112075 // 
            
            
            
            VULMON: CVE-2017-3872 // 
            
            
            
            BID: 96916 // 
            
            
            
            JVNDB: JVNDB-2017-002461 // 
            
            
            
            CNNVD: CNNVD-201703-679 // 
            
            
            
            NVD: CVE-2017-3872

CREDITS
Cisco
Trust: 0.9
sources:
            
            
            BID: 96916 // 
            
            
            
            CNNVD: CNNVD-201703-679

SOURCES
db:VULHUBid:VHN-112075
db:VULMONid:CVE-2017-3872
db:BIDid:96916
db:JVNDBid:JVNDB-2017-002461
db:CNNVDid:CNNVD-201703-679
db:NVDid:CVE-2017-3872

LAST UPDATE DATE
2024-11-23T23:05:28.789000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-112075date:2019-04-22T00:00:00
db:VULMONid:CVE-2017-3872date:2019-04-22T00:00:00
db:BIDid:96916date:2017-03-16T00:03:00
db:JVNDBid:JVNDB-2017-002461date:2017-04-14T00:00:00
db:CNNVDid:CNNVD-201703-679date:2019-04-23T00:00:00
db:NVDid:CVE-2017-3872date:2024-11-21T03:26:17.250

SOURCES RELEASE DATE
db:VULHUBid:VHN-112075date:2017-03-17T00:00:00
db:VULMONid:CVE-2017-3872date:2017-03-17T00:00:00
db:BIDid:96916date:2017-03-15T00:00:00
db:JVNDBid:JVNDB-2017-002461date:2017-04-14T00:00:00
db:CNNVDid:CNNVD-201703-679date:2017-03-16T00:00:00
db:NVDid:CVE-2017-3872date:2017-03-17T22:59:00.407