ID

VAR-201902-0424


CVE

CVE-2019-1660


TITLE

Cisco TelePresence Management Suite Vulnerability related to authorization, authority, and access control in software

Trust: 0.8

sources: JVNDB: JVNDB-2019-001902

DESCRIPTION

A vulnerability in the Simple Object Access Protocol (SOAP) of Cisco TelePresence Management Suite (TMS) software could allow an unauthenticated, remote attacker to gain unauthorized access to an affected device. The vulnerability is due to a lack of proper access and authentication controls on the affected TMS software. An attacker could exploit this vulnerability by gaining access to internal, trusted networks to send crafted SOAP calls to the affected device. If successful, an exploit could allow the attacker to access system management tools. Under normal circumstances, this access should be prohibited. Remote attackers can exploit this issue to bypass security restrictions and perform unauthorized actions. This may aid in further attacks. This issue is being tracked by Cisco Bug ID CSCvj25332. This product is mainly used to deploy large-scale remote and local video conferencing, and provides contact management and centralized configuration management

Trust: 2.07

sources: NVD: CVE-2019-1660 // JVNDB: JVNDB-2019-001902 // BID: 106918 // VULHUB: VHN-148762 // VULMON: CVE-2019-1660

AFFECTED PRODUCTS

vendor:ciscomodel:telepresence management suitescope:eqversion:15.2.1

Trust: 1.0

vendor:ciscomodel:telepresence management suitescope:eqversion:15.3

Trust: 1.0

vendor:ciscomodel:telepresence management suitescope:eqversion:15.7

Trust: 1.0

vendor:ciscomodel:telepresence management suitescope:eqversion:15.1

Trust: 1.0

vendor:ciscomodel:telepresence management suitescope:eqversion:15.5

Trust: 1.0

vendor:ciscomodel:telepresence management suitescope:eqversion:15.4

Trust: 1.0

vendor:ciscomodel:telepresence management suitescope:eqversion:15.6

Trust: 1.0

vendor:ciscomodel:telepresence management suitescope:eqversion:15.0

Trust: 1.0

vendor:ciscomodel:telepresence management suitescope: - version: -

Trust: 0.8

vendor:ciscomodel:telepresence management suitescope:eqversion:0

Trust: 0.3

sources: BID: 106918 // JVNDB: JVNDB-2019-001902 // NVD: CVE-2019-1660

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-1660
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2019-1660
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-1660
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201902-291
value: MEDIUM

Trust: 0.6

VULHUB: VHN-148762
value: MEDIUM

Trust: 0.1

VULMON: CVE-2019-1660
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-1660
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-148762
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-1660
baseSeverity: MEDIUM
baseScore: 5.3
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 1.4
version: 3.0

Trust: 2.8

sources: VULHUB: VHN-148762 // VULMON: CVE-2019-1660 // JVNDB: JVNDB-2019-001902 // CNNVD: CNNVD-201902-291 // NVD: CVE-2019-1660 // NVD: CVE-2019-1660

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.9

problemtype:CWE-284

Trust: 1.0

sources: VULHUB: VHN-148762 // JVNDB: JVNDB-2019-001902 // NVD: CVE-2019-1660

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201902-291

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-201902-291

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-001902

PATCH

title:cisco-sa-20190206-tms-soapurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190206-tms-soap

Trust: 0.8

title:Cisco: Cisco TelePresence Management Suite Simple Object Access Protocol Vulnerabilityurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-20190206-tms-soap

Trust: 0.1

title:cs-reaource-linksurl:https://github.com/rayiik/cs-reaource-links

Trust: 0.1

sources: VULMON: CVE-2019-1660 // JVNDB: JVNDB-2019-001902

EXTERNAL IDS

db:NVDid:CVE-2019-1660

Trust: 2.9

db:BIDid:106918

Trust: 2.1

db:JVNDBid:JVNDB-2019-001902

Trust: 0.8

db:CNNVDid:CNNVD-201902-291

Trust: 0.7

db:VULHUBid:VHN-148762

Trust: 0.1

db:VULMONid:CVE-2019-1660

Trust: 0.1

sources: VULHUB: VHN-148762 // VULMON: CVE-2019-1660 // BID: 106918 // JVNDB: JVNDB-2019-001902 // CNNVD: CNNVD-201902-291 // NVD: CVE-2019-1660

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190206-tms-soap

Trust: 2.2

url:http://www.securityfocus.com/bid/106918

Trust: 1.9

url:https://nvd.nist.gov/vuln/detail/cve-2019-1660

Trust: 1.4

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1660

Trust: 0.8

url:http://www.cisco.com/

Trust: 0.3

url:https://cwe.mitre.org/data/definitions/264.html

Trust: 0.1

url:https://github.com/rayiik/cs-reaource-links

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULHUB: VHN-148762 // VULMON: CVE-2019-1660 // BID: 106918 // JVNDB: JVNDB-2019-001902 // CNNVD: CNNVD-201902-291 // NVD: CVE-2019-1660

CREDITS

the reporting entity has requested to remain anonymous.,This vulnerability was externally reported to Cisco; however,The vendor reported this issue.

Trust: 0.6

sources: CNNVD: CNNVD-201902-291

SOURCES

db:VULHUBid:VHN-148762
db:VULMONid:CVE-2019-1660
db:BIDid:106918
db:JVNDBid:JVNDB-2019-001902
db:CNNVDid:CNNVD-201902-291
db:NVDid:CVE-2019-1660

LAST UPDATE DATE

2024-11-23T22:12:09.611000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-148762date:2019-10-09T00:00:00
db:VULMONid:CVE-2019-1660date:2019-10-09T00:00:00
db:BIDid:106918date:2019-02-06T00:00:00
db:JVNDBid:JVNDB-2019-001902date:2019-03-28T00:00:00
db:CNNVDid:CNNVD-201902-291date:2019-03-04T00:00:00
db:NVDid:CVE-2019-1660date:2024-11-21T04:37:02.263

SOURCES RELEASE DATE

db:VULHUBid:VHN-148762date:2019-02-07T00:00:00
db:VULMONid:CVE-2019-1660date:2019-02-07T00:00:00
db:BIDid:106918date:2019-02-06T00:00:00
db:JVNDBid:JVNDB-2019-001902date:2019-03-28T00:00:00
db:CNNVDid:CNNVD-201902-291date:2019-02-06T00:00:00
db:NVDid:CVE-2019-1660date:2019-02-07T21:29:00.187