Details of VAR-201711-0369

ID

VAR-201711-0369

CVE

CVE-2017-12358

TITLE

Cisco Jabber Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2017-010410

DESCRIPTION

A vulnerability in the web-based management interface of Cisco Jabber for Windows, Mac, Android, and iOS could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information. Cisco Bug IDs: CSCvf79080, CSCvf79088. Cisco Jabber Contains a cross-site scripting vulnerability. Vendors report this vulnerability Bug ID CSCvf79080 and CSCvf79088 Published as.The information may be obtained and the information may be falsified. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Cisco Jabber for Windows, Mac, Android and iOS is a set of unified communication client solutions of Cisco for Windows, Mac, Android and iOS platforms. The program provides online status display, instant messaging, voice and other functions

Trust: 1.98

sources: NVD: CVE-2017-12358 // JVNDB: JVNDB-2017-010410 // BID: 101992 // VULHUB: VHN-102872

AFFECTED PRODUCTS

vendor:	cisco	model:	jabber	scope:	eq	version:	11.9\(0\)	Trust: 1.6
vendor:	cisco	model:	jabber	scope:	eq	version:	-	Trust: 1.6
vendor:	cisco	model:	jabber	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	jabber for windows	scope:	eq	version:	11.9(0)	Trust: 0.3
vendor:	cisco	model:	jabber for windows	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	jabber for mac	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	jabber for ios	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	jabber for android	scope:	eq	version:	0	Trust: 0.3

sources: BID: 101992 // JVNDB: JVNDB-2017-010410 // CNNVD: CNNVD-201711-1208 // NVD: CVE-2017-12358

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-12358
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-12358
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201711-1208
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-102872
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2017-12358
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-102872
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-12358
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.3
impactScore:	2.7
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-102872 // JVNDB: JVNDB-2017-010410 // CNNVD: CNNVD-201711-1208 // NVD: CVE-2017-12358

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-102872 // JVNDB: JVNDB-2017-010410 // NVD: CVE-2017-12358

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201711-1208

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201711-1208

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-010410

PATCH

title:	cisco-sa-20171129-jabber1	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-jabber1	Trust: 0.8
title:	Cisco Jabber for Windows , Mac , Android and iOS Cisco Jabber Cross-site scripting vulnerability Repair measures	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=76827	Trust: 0.6

sources: JVNDB: JVNDB-2017-010410 // CNNVD: CNNVD-201711-1208

EXTERNAL IDS

db:	NVD	id:	CVE-2017-12358	Trust: 2.8
db:	BID	id:	101992	Trust: 2.0
db:	JVNDB	id:	JVNDB-2017-010410	Trust: 0.8
db:	CNNVD	id:	CNNVD-201711-1208	Trust: 0.7
db:	VULHUB	id:	VHN-102872	Trust: 0.1

sources: VULHUB: VHN-102872 // BID: 101992 // JVNDB: JVNDB-2017-010410 // CNNVD: CNNVD-201711-1208 // NVD: CVE-2017-12358

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20171129-jabber1	Trust: 2.0
url:	http://www.securityfocus.com/bid/101992	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-12358	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-12358	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3

sources: VULHUB: VHN-102872 // BID: 101992 // JVNDB: JVNDB-2017-010410 // CNNVD: CNNVD-201711-1208 // NVD: CVE-2017-12358

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 101992

SOURCES

db:	VULHUB	id:	VHN-102872
db:	BID	id:	101992
db:	JVNDB	id:	JVNDB-2017-010410
db:	CNNVD	id:	CNNVD-201711-1208
db:	NVD	id:	CVE-2017-12358

LAST UPDATE DATE

2024-11-23T22:48:53.512000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-102872	date:	2020-05-04T00:00:00
db:	BID	id:	101992	date:	2017-12-19T22:37:00
db:	JVNDB	id:	JVNDB-2017-010410	date:	2017-12-13T00:00:00
db:	CNNVD	id:	CNNVD-201711-1208	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2017-12358	date:	2024-11-21T03:09:22.617

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-102872	date:	2017-11-30T00:00:00
db:	BID	id:	101992	date:	2017-11-29T00:00:00
db:	JVNDB	id:	JVNDB-2017-010410	date:	2017-12-13T00:00:00
db:	CNNVD	id:	CNNVD-201711-1208	date:	2017-12-01T00:00:00
db:	NVD	id:	CVE-2017-12358	date:	2017-11-30T09:29:01.230