Sign-up

ID

VAR-201703-0886


CVE

CVE-2017-3874


TITLE

Cisco Unified Communications Manager of Web Cross-site scripting vulnerability in framework

Trust: 0.8

sources: JVNDB: JVNDB-2017-002462

DESCRIPTION

A vulnerability in the web framework of Cisco Unified Communications Manager (CallManager) could allow an authenticated, remote attacker to perform a cross-site scripting (XSS) attack. More Information: CSCvb70033. Known Affected Releases: 11.5(1.11007.2). Known Fixed Releases: 12.0(0.98000.507) 11.0(1.23900.5) 11.0(1.23900.3) 10.5(2.15900.2). An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCvb70033. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution

Trust: 1.98

sources: NVD: CVE-2017-3874 // JVNDB: JVNDB-2017-002462 // BID: 96914 // VULHUB: VHN-112077

AFFECTED PRODUCTS

vendor:ciscomodel:unified communications managerscope:eqversion:11.5\(1.11007.2\)

Trust: 1.6

vendor:ciscomodel:unified communications managerscope:eqversion:11.5(1.11007.2)

Trust: 0.8

vendor:ciscomodel:unified communications managerscope:eqversion: -

Trust: 0.3

sources: BID: 96914 // JVNDB: JVNDB-2017-002462 // CNNVD: CNNVD-201703-674 // NVD: CVE-2017-3874

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-3874
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-3874
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201703-674
value: LOW

Trust: 0.6

VULHUB: VHN-112077
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2017-3874
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-112077
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-3874
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.3
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-112077 // JVNDB: JVNDB-2017-002462 // CNNVD: CNNVD-201703-674 // NVD: CVE-2017-3874

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-112077 // JVNDB: JVNDB-2017-002462 // NVD: CVE-2017-3874

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201703-674

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201703-674

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-002462

PATCH
title:cisco-sa-20170315-ucm1url:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170315-ucm1
Trust: 0.8
title:Cisco Unified Communications Manager Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=68422
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2017-002462 // 
            
            
            
            CNNVD: CNNVD-201703-674

EXTERNAL IDS
db:NVDid:CVE-2017-3874
Trust: 2.8
db:BIDid:96914
Trust: 2.0
db:SECTRACKid:1038037
Trust: 1.1
db:JVNDBid:JVNDB-2017-002462
Trust: 0.8
db:CNNVDid:CNNVD-201703-674
Trust: 0.7
db:VULHUBid:VHN-112077
Trust: 0.1
sources:
            
            
            VULHUB: VHN-112077 // 
            
            
            
            BID: 96914 // 
            
            
            
            JVNDB: JVNDB-2017-002462 // 
            
            
            
            CNNVD: CNNVD-201703-674 // 
            
            
            
            NVD: CVE-2017-3874

REFERENCES
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20170315-ucm1
Trust: 2.0
url:http://www.securityfocus.com/bid/96914
Trust: 1.7
url:http://www.securitytracker.com/id/1038037
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-3874
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-3874
Trust: 0.8
url:http://www.cisco.com/
Trust: 0.3
sources:
            
            
            VULHUB: VHN-112077 // 
            
            
            
            BID: 96914 // 
            
            
            
            JVNDB: JVNDB-2017-002462 // 
            
            
            
            CNNVD: CNNVD-201703-674 // 
            
            
            
            NVD: CVE-2017-3874

CREDITS
Cisco
Trust: 0.9
sources:
            
            
            BID: 96914 // 
            
            
            
            CNNVD: CNNVD-201703-674

SOURCES
db:VULHUBid:VHN-112077
db:BIDid:96914
db:JVNDBid:JVNDB-2017-002462
db:CNNVDid:CNNVD-201703-674
db:NVDid:CVE-2017-3874

LAST UPDATE DATE
2024-11-23T23:12:32.610000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-112077date:2017-07-12T00:00:00
db:BIDid:96914date:2017-03-16T00:03:00
db:JVNDBid:JVNDB-2017-002462date:2017-04-14T00:00:00
db:CNNVDid:CNNVD-201703-674date:2017-03-16T00:00:00
db:NVDid:CVE-2017-3874date:2024-11-21T03:26:17.490

SOURCES RELEASE DATE
db:VULHUBid:VHN-112077date:2017-03-17T00:00:00
db:BIDid:96914date:2017-03-15T00:00:00
db:JVNDBid:JVNDB-2017-002462date:2017-04-14T00:00:00
db:CNNVDid:CNNVD-201703-674date:2017-03-16T00:00:00
db:NVDid:CVE-2017-3874date:2017-03-17T22:59:00.453