Details of VAR-201709-0675

ID

VAR-201709-0675

CVE

CVE-2017-12212

TITLE

Cisco Unity Connection Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2017-007981

DESCRIPTION

A vulnerability in the web framework of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the web interface of an affected system. The vulnerability is due to insufficient input validation of certain parameters that are passed to the affected software via the HTTP GET and HTTP POST methods. An attacker who can convince a user to follow an attacker-supplied link could execute arbitrary script or HTML code in the user's browser in the context of an affected site. Known Affected Releases 10.5(2). Cisco Bug IDs: CSCvf25345. Vendors have confirmed this vulnerability Bug ID CSCvf25345 It is released as.Information may be obtained and information may be altered. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. The platform can use voice commands to make calls or listen to messages "hands-free"

Trust: 1.98

sources: NVD: CVE-2017-12212 // JVNDB: JVNDB-2017-007981 // BID: 100645 // VULHUB: VHN-102712

AFFECTED PRODUCTS

vendor:	cisco	model:	unity connection	scope:	eq	version:	10.5\(2\)	Trust: 1.6
vendor:	cisco	model:	unity connection	scope:	eq	version:	10.5(2)	Trust: 1.1

sources: BID: 100645 // JVNDB: JVNDB-2017-007981 // CNNVD: CNNVD-201709-233 // NVD: CVE-2017-12212

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-12212
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-12212
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201709-233
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-102712
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-12212
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-102712
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-12212
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-102712 // JVNDB: JVNDB-2017-007981 // CNNVD: CNNVD-201709-233 // NVD: CVE-2017-12212

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-102712 // JVNDB: JVNDB-2017-007981 // NVD: CVE-2017-12212

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201709-233

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201709-233

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-007981

PATCH

title:	CSCvf25345 - XSS Vulnerabilities reported for Web pages of CUCA	url:	https://quickview.cloudapps.cisco.com/quickview/bug/CSCvf25345	Trust: 0.8
title:	cisco-sa-20170906-cuc	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170906-cuc	Trust: 0.8
title:	Cisco Unity Connection Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=74587	Trust: 0.6

sources: JVNDB: JVNDB-2017-007981 // CNNVD: CNNVD-201709-233

EXTERNAL IDS

db:	NVD	id:	CVE-2017-12212	Trust: 2.8
db:	BID	id:	100645	Trust: 2.0
db:	SECTRACK	id:	1039277	Trust: 1.7
db:	JVNDB	id:	JVNDB-2017-007981	Trust: 0.8
db:	CNNVD	id:	CNNVD-201709-233	Trust: 0.7
db:	VULHUB	id:	VHN-102712	Trust: 0.1

sources: VULHUB: VHN-102712 // BID: 100645 // JVNDB: JVNDB-2017-007981 // CNNVD: CNNVD-201709-233 // NVD: CVE-2017-12212

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20170906-cuc	Trust: 2.0
url:	http://www.securityfocus.com/bid/100645	Trust: 1.7
url:	https://quickview.cloudapps.cisco.com/quickview/bug/cscvf25345	Trust: 1.7
url:	http://www.securitytracker.com/id/1039277	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-12212	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-12212	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3
url:	http://www.cisco.com/c/en/us/products/unified-communications/unity-connection/index.html	Trust: 0.3

sources: VULHUB: VHN-102712 // BID: 100645 // JVNDB: JVNDB-2017-007981 // CNNVD: CNNVD-201709-233 // NVD: CVE-2017-12212

CREDITS

Cisco

Trust: 0.3

sources: BID: 100645

SOURCES

db:	VULHUB	id:	VHN-102712
db:	BID	id:	100645
db:	JVNDB	id:	JVNDB-2017-007981
db:	CNNVD	id:	CNNVD-201709-233
db:	NVD	id:	CVE-2017-12212

LAST UPDATE DATE

2024-11-23T23:08:55.796000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-102712	date:	2019-10-09T00:00:00
db:	BID	id:	100645	date:	2017-09-06T00:00:00
db:	JVNDB	id:	JVNDB-2017-007981	date:	2017-10-05T00:00:00
db:	CNNVD	id:	CNNVD-201709-233	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2017-12212	date:	2024-11-21T03:09:02.687

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-102712	date:	2017-09-07T00:00:00
db:	BID	id:	100645	date:	2017-09-06T00:00:00
db:	JVNDB	id:	JVNDB-2017-007981	date:	2017-10-05T00:00:00
db:	CNNVD	id:	CNNVD-201709-233	date:	2017-09-08T00:00:00
db:	NVD	id:	CVE-2017-12212	date:	2017-09-07T21:29:00.270