Sign-up

ID

VAR-201806-1037


CVE

CVE-2018-0354


TITLE

Cisco Unity Connection Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2018-006151

DESCRIPTION

A vulnerability in the web framework of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web interface of an affected system. The vulnerability is due to insufficient input validation of certain parameters that are passed to the affected software via the HTTP GET and HTTP POST methods. An attacker who can convince a user to follow an attacker-supplied link could execute arbitrary script or HTML code in the user's browser in the context of an affected site. Cisco Bug IDs: CSCvf76417. Vendors have confirmed this vulnerability Bug IDs: CSCvf76417 It is released as.Information may be obtained and information may be altered. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. The platform can use voice commands to make calls or listen to messages "hands-free"

Trust: 2.07

sources: NVD: CVE-2018-0354 // JVNDB: JVNDB-2018-006151 // BID: 104426 // VULHUB: VHN-118556 // VULMON: CVE-2018-0354

AFFECTED PRODUCTS

vendor:ciscomodel:unity connectionscope:eqversion:12.5

Trust: 1.9

vendor:ciscomodel:unity connectionscope: - version: -

Trust: 0.8

sources: BID: 104426 // JVNDB: JVNDB-2018-006151 // CNNVD: CNNVD-201806-363 // NVD: CVE-2018-0354

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-0354
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-0354
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201806-363
value: MEDIUM

Trust: 0.6

VULHUB: VHN-118556
value: MEDIUM

Trust: 0.1

VULMON: CVE-2018-0354
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-0354
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-118556
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-0354
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-118556 // VULMON: CVE-2018-0354 // JVNDB: JVNDB-2018-006151 // CNNVD: CNNVD-201806-363 // NVD: CVE-2018-0354

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-118556 // JVNDB: JVNDB-2018-006151 // NVD: CVE-2018-0354

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201806-363

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201806-363

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-006151

PATCH
title:cisco-sa-20180606-cuc-xssurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-cuc-xss
Trust: 0.8
title:Cisco Unity Connection Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=80718
Trust: 0.6
title:Cisco: Cisco Unity Connection Cross-Site Scripting Vulnerabilityurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-20180606-cuc-xss
Trust: 0.1
sources:
            
            
            VULMON: CVE-2018-0354 // 
            
            
            
            JVNDB: JVNDB-2018-006151 // 
            
            
            
            CNNVD: CNNVD-201806-363

EXTERNAL IDS
db:NVDid:CVE-2018-0354
Trust: 2.9
db:BIDid:104426
Trust: 2.1
db:SECTRACKid:1041067
Trust: 1.8
db:JVNDBid:JVNDB-2018-006151
Trust: 0.8
db:CNNVDid:CNNVD-201806-363
Trust: 0.7
db:VULHUBid:VHN-118556
Trust: 0.1
db:VULMONid:CVE-2018-0354
Trust: 0.1
sources:
            
            
            VULHUB: VHN-118556 // 
            
            
            
            VULMON: CVE-2018-0354 // 
            
            
            
            BID: 104426 // 
            
            
            
            JVNDB: JVNDB-2018-006151 // 
            
            
            
            CNNVD: CNNVD-201806-363 // 
            
            
            
            NVD: CVE-2018-0354

REFERENCES
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20180606-cuc-xss
Trust: 2.2
url:http://www.securityfocus.com/bid/104426
Trust: 1.9
url:http://www.securitytracker.com/id/1041067
Trust: 1.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-0354
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-0354
Trust: 0.8
url:http://www.cisco.com/
Trust: 0.3
url:http://www.cisco.com/c/en/us/products/unified-communications/unity-connection/index.html
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/79.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            VULHUB: VHN-118556 // 
            
            
            
            VULMON: CVE-2018-0354 // 
            
            
            
            BID: 104426 // 
            
            
            
            JVNDB: JVNDB-2018-006151 // 
            
            
            
            CNNVD: CNNVD-201806-363 // 
            
            
            
            NVD: CVE-2018-0354

CREDITS
Cisco
Trust: 0.3
sources:
            
            
            BID: 104426

SOURCES
db:VULHUBid:VHN-118556
db:VULMONid:CVE-2018-0354
db:BIDid:104426
db:JVNDBid:JVNDB-2018-006151
db:CNNVDid:CNNVD-201806-363
db:NVDid:CVE-2018-0354

LAST UPDATE DATE
2024-11-23T22:00:29.247000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-118556date:2019-10-09T00:00:00
db:VULMONid:CVE-2018-0354date:2019-10-09T00:00:00
db:BIDid:104426date:2018-06-06T00:00:00
db:JVNDBid:JVNDB-2018-006151date:2018-08-09T00:00:00
db:CNNVDid:CNNVD-201806-363date:2019-10-17T00:00:00
db:NVDid:CVE-2018-0354date:2024-11-21T03:38:02.817

SOURCES RELEASE DATE
db:VULHUBid:VHN-118556date:2018-06-07T00:00:00
db:VULMONid:CVE-2018-0354date:2018-06-07T00:00:00
db:BIDid:104426date:2018-06-06T00:00:00
db:JVNDBid:JVNDB-2018-006151date:2018-08-09T00:00:00
db:CNNVDid:CNNVD-201806-363date:2018-06-08T00:00:00
db:NVDid:CVE-2018-0354date:2018-06-07T21:29:00.790