Details of VAR-201807-0436

ID

VAR-201807-0436

CVE

CVE-2018-0396

TITLE

Cisco Unified Communications Manager IM and Presence Service Software cross-site scripting vulnerability

Trust: 1.4

sources: JVNDB: JVNDB-2018-008279 // CNNVD: CNNVD-201807-1288

DESCRIPTION

A vulnerability in the web framework of the Cisco Unified Communications Manager IM and Presence Service software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web interface of an affected system. The vulnerability is due to insufficient input validation of certain parameters passed to the web server. An attacker could exploit this vulnerability by convincing the user to access a malicious link or by intercepting the user request and injecting certain malicious code. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected site or allow the attacker to access sensitive browser-based information. Cisco Bug IDs: CSCve25985. Vendors have confirmed this vulnerability Bug ID CSCve25985 It is released as.Information may be obtained and information may be altered. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks

Trust: 1.98

sources: NVD: CVE-2018-0396 // JVNDB: JVNDB-2018-008279 // BID: 104872 // VULHUB: VHN-118598

AFFECTED PRODUCTS

vendor:	cisco	model:	unified communications manager im and presence service	scope:	eq	version:	11.5	Trust: 1.6
vendor:	cisco	model:	unified communications manager im and presence service	scope:	eq	version:	12.0	Trust: 1.6
vendor:	cisco	model:	unified communications manager im and presence service	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	unified communications manager im and presence service	scope:	eq	version:	0	Trust: 0.3

sources: BID: 104872 // JVNDB: JVNDB-2018-008279 // CNNVD: CNNVD-201807-1288 // NVD: CVE-2018-0396

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-0396
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2018-0396
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201807-1288
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-118598
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-0396
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-118598
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-0396
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-118598 // JVNDB: JVNDB-2018-008279 // CNNVD: CNNVD-201807-1288 // NVD: CVE-2018-0396

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-118598 // JVNDB: JVNDB-2018-008279 // NVD: CVE-2018-0396

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201807-1288

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201807-1288

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-008279

PATCH

title:	cisco-sa-20180718-ucmim-ps-xss	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-ucmim-ps-xss	Trust: 0.8
title:	Cisco Unified Communications Manager IM and Presence Service Software Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=82189	Trust: 0.6

sources: JVNDB: JVNDB-2018-008279 // CNNVD: CNNVD-201807-1288

EXTERNAL IDS

db:	NVD	id:	CVE-2018-0396	Trust: 2.8
db:	BID	id:	104872	Trust: 2.0
db:	SECTRACK	id:	1041349	Trust: 1.7
db:	SECTRACK	id:	1041350	Trust: 1.7
db:	JVNDB	id:	JVNDB-2018-008279	Trust: 0.8
db:	CNNVD	id:	CNNVD-201807-1288	Trust: 0.7
db:	VULHUB	id:	VHN-118598	Trust: 0.1

sources: VULHUB: VHN-118598 // BID: 104872 // JVNDB: JVNDB-2018-008279 // CNNVD: CNNVD-201807-1288 // NVD: CVE-2018-0396

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20180718-ucmim-ps-xss	Trust: 2.0
url:	http://www.securityfocus.com/bid/104872	Trust: 1.7
url:	http://www.securitytracker.com/id/1041349	Trust: 1.7
url:	http://www.securitytracker.com/id/1041350	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-0396	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-0396	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3

sources: VULHUB: VHN-118598 // BID: 104872 // JVNDB: JVNDB-2018-008279 // CNNVD: CNNVD-201807-1288 // NVD: CVE-2018-0396

CREDITS

Cisco

Trust: 0.3

sources: BID: 104872

SOURCES

db:	VULHUB	id:	VHN-118598
db:	BID	id:	104872
db:	JVNDB	id:	JVNDB-2018-008279
db:	CNNVD	id:	CNNVD-201807-1288
db:	NVD	id:	CVE-2018-0396

LAST UPDATE DATE

2024-11-23T22:17:26.826000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-118598	date:	2019-10-09T00:00:00
db:	BID	id:	104872	date:	2018-07-18T00:00:00
db:	JVNDB	id:	JVNDB-2018-008279	date:	2018-10-12T00:00:00
db:	CNNVD	id:	CNNVD-201807-1288	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2018-0396	date:	2024-11-21T03:38:08.507

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-118598	date:	2018-07-18T00:00:00
db:	BID	id:	104872	date:	2018-07-18T00:00:00
db:	JVNDB	id:	JVNDB-2018-008279	date:	2018-10-12T00:00:00
db:	CNNVD	id:	CNNVD-201807-1288	date:	2018-07-19T00:00:00
db:	NVD	id:	CVE-2018-0396	date:	2018-07-18T23:29:01.290