Sign-up

ID

VAR-201806-1038


CVE

CVE-2018-0355


TITLE

Cisco Unified Communications Manager Input validation vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-006098

DESCRIPTION

A vulnerability in the web UI of Cisco Unified Communications Manager (Unified CM) could allow an unauthenticated, remote attacker to conduct a cross-frame scripting (XFS) attack against the user of the web UI of an affected system. The vulnerability is due to insufficient protections for HTML inline frames (iframes) by the web UI of the affected software. An attacker could exploit this vulnerability by persuading a user of the affected UI to navigate to an attacker-controlled web page that contains a malicious HTML iframe. A successful exploit could allow the attacker to conduct click-jacking or other client-side browser attacks on the affected system. Cisco Bug IDs: CSCvg19761. Vendors have confirmed this vulnerability Bug ID CSCvg19761 It is released as.Information may be obtained and information may be altered. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution

Trust: 2.07

sources: NVD: CVE-2018-0355 // JVNDB: JVNDB-2018-006098 // BID: 104425 // VULHUB: VHN-118557 // VULMON: CVE-2018-0355

AFFECTED PRODUCTS

vendor:ciscomodel:unified communications managerscope:eqversion:12.0\(1.10000.10\)

Trust: 1.6

vendor:ciscomodel:unified communications managerscope:eqversion:11.0\(1.10000.10\)

Trust: 1.6

vendor:ciscomodel:unified communications managerscope:eqversion:10.5\(2.10000.5\)

Trust: 1.6

vendor:ciscomodel:unified communications managerscope:eqversion:11.5\(1.10000.6\)

Trust: 1.6

vendor:ciscomodel:unified communications managerscope: - version: -

Trust: 0.8

vendor:ciscomodel:unified communications managerscope:eqversion:0

Trust: 0.3

vendor:ciscomodel:unified communications managerscope:eqversion:11.5(1.10000.6)

Trust: 0.3

vendor:ciscomodel:unified communications managerscope:neversion:12.5(0.98000.667)

Trust: 0.3

vendor:ciscomodel:unified communications managerscope:neversion:12.5(0.98000.666)

Trust: 0.3

vendor:ciscomodel:unified communications managerscope:neversion:11.5(1.15900.8)

Trust: 0.3

sources: BID: 104425 // JVNDB: JVNDB-2018-006098 // CNNVD: CNNVD-201806-362 // NVD: CVE-2018-0355

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-0355
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-0355
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201806-362
value: MEDIUM

Trust: 0.6

VULHUB: VHN-118557
value: MEDIUM

Trust: 0.1

VULMON: CVE-2018-0355
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-0355
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-118557
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-0355
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.1

Trust: 1.0

NVD: CVE-2018-0355
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-118557 // VULMON: CVE-2018-0355 // JVNDB: JVNDB-2018-006098 // CNNVD: CNNVD-201806-362 // NVD: CVE-2018-0355

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.9

problemtype:CWE-1021

Trust: 1.0

sources: VULHUB: VHN-118557 // JVNDB: JVNDB-2018-006098 // NVD: CVE-2018-0355

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201806-362

TYPE

Input Validation Error

Trust: 0.9

sources: BID: 104425 // CNNVD: CNNVD-201806-362

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-006098

PATCH
title:cisco-sa-20180606-cucm-xfsurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-cucm-xfs
Trust: 0.8
title:Cisco: Cisco Unified Communications Manager Cross-Frame Scripting Vulnerabilityurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-20180606-cucm-xfs
Trust: 0.1
sources:
            
            
            VULMON: CVE-2018-0355 // 
            
            
            
            JVNDB: JVNDB-2018-006098

EXTERNAL IDS
db:NVDid:CVE-2018-0355
Trust: 2.9
db:BIDid:104425
Trust: 2.1
db:SECTRACKid:1041068
Trust: 1.8
db:JVNDBid:JVNDB-2018-006098
Trust: 0.8
db:CNNVDid:CNNVD-201806-362
Trust: 0.7
db:VULHUBid:VHN-118557
Trust: 0.1
db:VULMONid:CVE-2018-0355
Trust: 0.1
sources:
            
            
            VULHUB: VHN-118557 // 
            
            
            
            VULMON: CVE-2018-0355 // 
            
            
            
            BID: 104425 // 
            
            
            
            JVNDB: JVNDB-2018-006098 // 
            
            
            
            CNNVD: CNNVD-201806-362 // 
            
            
            
            NVD: CVE-2018-0355

REFERENCES
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20180606-cucm-xfs
Trust: 2.2
url:http://www.securityfocus.com/bid/104425
Trust: 1.8
url:http://www.securitytracker.com/id/1041068
Trust: 1.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-0355
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-0355
Trust: 0.8
url:http://www.cisco.com/
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/1021.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            VULHUB: VHN-118557 // 
            
            
            
            VULMON: CVE-2018-0355 // 
            
            
            
            BID: 104425 // 
            
            
            
            JVNDB: JVNDB-2018-006098 // 
            
            
            
            CNNVD: CNNVD-201806-362 // 
            
            
            
            NVD: CVE-2018-0355

CREDITS
The vendor reported this issue.
Trust: 0.3
sources:
            
            
            BID: 104425

SOURCES
db:VULHUBid:VHN-118557
db:VULMONid:CVE-2018-0355
db:BIDid:104425
db:JVNDBid:JVNDB-2018-006098
db:CNNVDid:CNNVD-201806-362
db:NVDid:CVE-2018-0355

LAST UPDATE DATE
2024-11-23T22:41:49.247000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-118557date:2020-09-04T00:00:00
db:VULMONid:CVE-2018-0355date:2020-09-04T00:00:00
db:BIDid:104425date:2018-06-06T00:00:00
db:JVNDBid:JVNDB-2018-006098date:2018-08-07T00:00:00
db:CNNVDid:CNNVD-201806-362date:2020-09-07T00:00:00
db:NVDid:CVE-2018-0355date:2024-11-21T03:38:02.950

SOURCES RELEASE DATE
db:VULHUBid:VHN-118557date:2018-06-07T00:00:00
db:VULMONid:CVE-2018-0355date:2018-06-07T00:00:00
db:BIDid:104425date:2018-06-06T00:00:00
db:JVNDBid:JVNDB-2018-006098date:2018-08-07T00:00:00
db:CNNVDid:CNNVD-201806-362date:2018-06-08T00:00:00
db:NVDid:CVE-2018-0355date:2018-06-07T21:29:00.837