ID

VAR-201910-0975


CVE

CVE-2019-15259


TITLE

Cisco Unified Contact Center Express Software input validation vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-010440

DESCRIPTION

A vulnerability in Cisco Unified Contact Center Express (UCCX) Software could allow an unauthenticated, remote attacker to conduct an HTTP response splitting attack. The vulnerability is due to insufficient input validation of some parameters that are passed to the web server of the affected system. An attacker could exploit this vulnerability by convincing a user to follow a malicious link or by intercepting a user request on an affected device. A successful exploit could allow the attacker to perform cross-site scripting attacks, web cache poisoning, access sensitive browser-based information, and similar exploits. This component supports functions such as self-service voice service, call distribution, and customer access control

Trust: 1.71

sources: NVD: CVE-2019-15259 // JVNDB: JVNDB-2019-010440 // VULHUB: VHN-147287

AFFECTED PRODUCTS

vendor:ciscomodel:unified contact center expressscope:eqversion:12.0\(1\)

Trust: 1.0

vendor:ciscomodel:unified contact center expressscope:ltversion:11.6\(2\)

Trust: 1.0

vendor:ciscomodel:unified contact center expressscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2019-010440 // NVD: CVE-2019-15259

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-15259
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2019-15259
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-15259
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201910-144
value: MEDIUM

Trust: 0.6

VULHUB: VHN-147287
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-15259
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-147287
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

ykramarz@cisco.com: CVE-2019-15259
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.8

nvd@nist.gov: CVE-2019-15259
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.1

Trust: 1.0

sources: VULHUB: VHN-147287 // JVNDB: JVNDB-2019-010440 // CNNVD: CNNVD-201910-144 // NVD: CVE-2019-15259 // NVD: CVE-2019-15259

PROBLEMTYPE DATA

problemtype:CWE-74

Trust: 1.1

problemtype:CWE-113

Trust: 1.0

problemtype:CWE-20

Trust: 0.9

sources: VULHUB: VHN-147287 // JVNDB: JVNDB-2019-010440 // NVD: CVE-2019-15259

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201910-144

TYPE

injection

Trust: 0.6

sources: CNNVD: CNNVD-201910-144

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-010440

PATCH

title:cisco-sa-20191002-uccx-httpurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191002-uccx-http

Trust: 0.8

title:Cisco Unified Contact Center Express Repair measures for injecting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=98879

Trust: 0.6

sources: JVNDB: JVNDB-2019-010440 // CNNVD: CNNVD-201910-144

EXTERNAL IDS

db:NVDid:CVE-2019-15259

Trust: 2.5

db:JVNDBid:JVNDB-2019-010440

Trust: 0.8

db:CNNVDid:CNNVD-201910-144

Trust: 0.7

db:AUSCERTid:ESB-2019.3727

Trust: 0.6

db:VULHUBid:VHN-147287

Trust: 0.1

sources: VULHUB: VHN-147287 // JVNDB: JVNDB-2019-010440 // CNNVD: CNNVD-201910-144 // NVD: CVE-2019-15259

REFERENCES

url:https://nvd.nist.gov/vuln/detail/cve-2019-15259

Trust: 1.4

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20191002-uccx-http

Trust: 1.1

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-15259

Trust: 0.8

url:http

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2019.3727/

Trust: 0.6

url:https://vigilance.fr/vulnerability/cisco-unified-contact-center-express-information-disclosure-via-http-response-splitting-30521

Trust: 0.6

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20191002-uccx-

Trust: 0.6

sources: VULHUB: VHN-147287 // JVNDB: JVNDB-2019-010440 // CNNVD: CNNVD-201910-144 // NVD: CVE-2019-15259

SOURCES

db:VULHUBid:VHN-147287
db:JVNDBid:JVNDB-2019-010440
db:CNNVDid:CNNVD-201910-144
db:NVDid:CVE-2019-15259

LAST UPDATE DATE

2024-08-14T14:04:10.940000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-147287date:2020-10-16T00:00:00
db:JVNDBid:JVNDB-2019-010440date:2019-10-15T00:00:00
db:CNNVDid:CNNVD-201910-144date:2020-10-21T00:00:00
db:NVDid:CVE-2019-15259date:2020-10-16T13:16:59.520

SOURCES RELEASE DATE

db:VULHUBid:VHN-147287date:2019-10-02T00:00:00
db:JVNDBid:JVNDB-2019-010440date:2019-10-15T00:00:00
db:CNNVDid:CNNVD-201910-144date:2019-10-02T00:00:00
db:NVDid:CVE-2019-15259date:2019-10-02T19:15:15.297