Details of VAR-201709-0677

ID

VAR-201709-0677

CVE

CVE-2017-12214

TITLE

Cisco Unified Customer Voice Portal Vulnerabilities related to authorization, permissions, and access control

Trust: 0.8

sources: JVNDB: JVNDB-2017-008413

DESCRIPTION

A vulnerability in the Operations, Administration, Maintenance, and Provisioning (OAMP) credential reset functionality for Cisco Unified Customer Voice Portal (CVP) could allow an authenticated, remote attacker to gain elevated privileges. The vulnerability is due to a lack of proper input validation. An attacker could exploit this vulnerability by authenticating to the OAMP and sending a crafted HTTP request. A successful exploit could allow the attacker to gain administrator privileges. The attacker must successfully authenticate to the system to exploit this vulnerability. This vulnerability affects Cisco Unified Customer Voice Portal (CVP) running software release 10.5, 11.0, or 11.5. Cisco Bug IDs: CSCve92752. Vendors have confirmed this vulnerability Bug ID CSCve92752 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Successful exploits may aid in further attacks

Trust: 1.98

sources: NVD: CVE-2017-12214 // JVNDB: JVNDB-2017-008413 // BID: 100931 // VULHUB: VHN-102714

AFFECTED PRODUCTS

vendor:	cisco	model:	unified customer voice portal	scope:	eq	version:	11.5	Trust: 2.7
vendor:	cisco	model:	unified customer voice portal	scope:	eq	version:	11.0	Trust: 2.7
vendor:	cisco	model:	unified customer voice portal	scope:	eq	version:	10.5	Trust: 2.7
vendor:	cisco	model:	unified customer voice portal	scope:	eq	version:	11.5(1)	Trust: 0.3

sources: BID: 100931 // JVNDB: JVNDB-2017-008413 // CNNVD: CNNVD-201709-1040 // NVD: CVE-2017-12214

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-12214
value:	HIGH
Trust: 1.0
NVD:	CVE-2017-12214
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201709-1040
value:	HIGH
Trust: 0.6
VULHUB:	VHN-102714
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-12214
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-102714
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-12214
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-102714 // JVNDB: JVNDB-2017-008413 // CNNVD: CNNVD-201709-1040 // NVD: CVE-2017-12214

PROBLEMTYPE DATA

problemtype:	CWE-264	Trust: 1.9
problemtype:	CWE-20	Trust: 1.1

sources: VULHUB: VHN-102714 // JVNDB: JVNDB-2017-008413 // NVD: CVE-2017-12214

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201709-1040

TYPE

Input Validation Error

Trust: 0.9

sources: BID: 100931 // CNNVD: CNNVD-201709-1040

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-008413

PATCH

title:	cisco-sa-20170920-cvp	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170920-cvp	Trust: 0.8
title:	Cisco Unified Customer Voice Portal Fixes for permission permissions and access control vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=75054	Trust: 0.6

sources: JVNDB: JVNDB-2017-008413 // CNNVD: CNNVD-201709-1040

EXTERNAL IDS

db:	NVD	id:	CVE-2017-12214	Trust: 2.8
db:	BID	id:	100931	Trust: 2.0
db:	SECTRACK	id:	1039411	Trust: 1.7
db:	JVNDB	id:	JVNDB-2017-008413	Trust: 0.8
db:	CNNVD	id:	CNNVD-201709-1040	Trust: 0.7
db:	VULHUB	id:	VHN-102714	Trust: 0.1

sources: VULHUB: VHN-102714 // BID: 100931 // JVNDB: JVNDB-2017-008413 // CNNVD: CNNVD-201709-1040 // NVD: CVE-2017-12214

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20170920-cvp	Trust: 2.0
url:	http://www.securityfocus.com/bid/100931	Trust: 1.7
url:	http://www.securitytracker.com/id/1039411	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-12214	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-12214	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3
url:	http://www.cisco.com/en/us/products/sw/custcosw/ps1006/index.html	Trust: 0.3

sources: VULHUB: VHN-102714 // BID: 100931 // JVNDB: JVNDB-2017-008413 // CNNVD: CNNVD-201709-1040 // NVD: CVE-2017-12214

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 100931

SOURCES

db:	VULHUB	id:	VHN-102714
db:	BID	id:	100931
db:	JVNDB	id:	JVNDB-2017-008413
db:	CNNVD	id:	CNNVD-201709-1040
db:	NVD	id:	CVE-2017-12214

LAST UPDATE DATE

2024-11-23T22:34:29.751000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-102714	date:	2019-10-09T00:00:00
db:	BID	id:	100931	date:	2017-09-20T00:00:00
db:	JVNDB	id:	JVNDB-2017-008413	date:	2017-10-18T00:00:00
db:	CNNVD	id:	CNNVD-201709-1040	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2017-12214	date:	2024-11-21T03:09:02.943

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-102714	date:	2017-09-21T00:00:00
db:	BID	id:	100931	date:	2017-09-20T00:00:00
db:	JVNDB	id:	JVNDB-2017-008413	date:	2017-10-18T00:00:00
db:	CNNVD	id:	CNNVD-201709-1040	date:	2017-09-22T00:00:00
db:	NVD	id:	CVE-2017-12214	date:	2017-09-21T05:29:00.233