Details of VAR-201704-0958

ID

VAR-201704-0958

CVE

CVE-2017-3888

TITLE

Cisco Unified Communications Manager of Web -Based scripting interface cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-003074

DESCRIPTION

A vulnerability in the web-based management interface of Cisco Unified Communications Manager could allow an authenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. This vulnerability affects Cisco Unified Communications Manager with a default configuration running an affected software release with the attacker authenticated as the administrative user. More Information: CSCvc83712. Known Affected Releases: 12.0(0.98000.452). Known Fixed Releases: 12.0(0.98000.750) 12.0(0.98000.708) 12.0(0.98000.707) 12.0(0.98000.704) 12.0(0.98000.554) 12.0(0.98000.546) 12.0(0.98000.543) 12.0(0.98000.248) 12.0(0.98000.244) 12.0(0.98000.242). Vendors have confirmed this vulnerability Bug ID CSCvc83712 It is released as.Information may be obtained and information may be altered. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCva98592 . This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution

Trust: 1.98

sources: NVD: CVE-2017-3888 // JVNDB: JVNDB-2017-003074 // BID: 97431 // VULHUB: VHN-112091

AFFECTED PRODUCTS

vendor:	cisco	model:	unified communications manager	scope:	eq	version:	12.0\(0.98000.452\)	Trust: 1.6
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	12.0(0.98000.452)	Trust: 0.8
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	0	Trust: 0.3

sources: BID: 97431 // JVNDB: JVNDB-2017-003074 // CNNVD: CNNVD-201704-435 // NVD: CVE-2017-3888

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-3888
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-3888
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201704-435
value:	LOW
Trust: 0.6
VULHUB:	VHN-112091
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2017-3888
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-112091
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-3888
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.3
impactScore:	2.7
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-112091 // JVNDB: JVNDB-2017-003074 // CNNVD: CNNVD-201704-435 // NVD: CVE-2017-3888

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-112091 // JVNDB: JVNDB-2017-003074 // NVD: CVE-2017-3888

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201704-435

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201704-435

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-003074

PATCH

title:	cisco-sa-20170405-ucm1	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170405-ucm1	Trust: 0.8
title:	Cisco Unified Communications Manager Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=70139	Trust: 0.6

sources: JVNDB: JVNDB-2017-003074 // CNNVD: CNNVD-201704-435

EXTERNAL IDS

db:	NVD	id:	CVE-2017-3888	Trust: 2.8
db:	BID	id:	97431	Trust: 1.4
db:	SECTRACK	id:	1038193	Trust: 1.1
db:	JVNDB	id:	JVNDB-2017-003074	Trust: 0.8
db:	NSFOCUS	id:	36308	Trust: 0.6
db:	CNNVD	id:	CNNVD-201704-435	Trust: 0.6
db:	VULHUB	id:	VHN-112091	Trust: 0.1

sources: VULHUB: VHN-112091 // BID: 97431 // JVNDB: JVNDB-2017-003074 // CNNVD: CNNVD-201704-435 // NVD: CVE-2017-3888

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20170405-ucm1	Trust: 2.0
url:	http://www.securityfocus.com/bid/97431	Trust: 1.1
url:	http://www.securitytracker.com/id/1038193	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-3888	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-3888	Trust: 0.8
url:	http://www.nsfocus.net/vulndb/36308	Trust: 0.6
url:	http://www.cisco.com/	Trust: 0.3
url:	http://www.cisco.com/en/us/products/sw/voicesw/ps556/index.html	Trust: 0.3

sources: VULHUB: VHN-112091 // BID: 97431 // JVNDB: JVNDB-2017-003074 // CNNVD: CNNVD-201704-435 // NVD: CVE-2017-3888

CREDITS

Cisco

Trust: 0.3

sources: BID: 97431

SOURCES

db:	VULHUB	id:	VHN-112091
db:	BID	id:	97431
db:	JVNDB	id:	JVNDB-2017-003074
db:	CNNVD	id:	CNNVD-201704-435
db:	NVD	id:	CVE-2017-3888

LAST UPDATE DATE

2024-11-23T21:41:28.315000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-112091	date:	2017-07-12T00:00:00
db:	BID	id:	97431	date:	2017-04-11T00:03:00
db:	JVNDB	id:	JVNDB-2017-003074	date:	2017-05-12T00:00:00
db:	CNNVD	id:	CNNVD-201704-435	date:	2017-05-17T00:00:00
db:	NVD	id:	CVE-2017-3888	date:	2024-11-21T03:26:19.277

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-112091	date:	2017-04-07T00:00:00
db:	BID	id:	97431	date:	2017-04-05T00:00:00
db:	JVNDB	id:	JVNDB-2017-003074	date:	2017-05-12T00:00:00
db:	CNNVD	id:	CNNVD-201704-435	date:	2017-04-07T00:00:00
db:	NVD	id:	CVE-2017-3888	date:	2017-04-07T17:59:00.480