Details of VAR-201910-0975

ID

VAR-201910-0975

CVE

CVE-2019-15259

TITLE

Cisco Unified Contact Center Express Software input validation vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-010440

DESCRIPTION

A vulnerability in Cisco Unified Contact Center Express (UCCX) Software could allow an unauthenticated, remote attacker to conduct an HTTP response splitting attack. The vulnerability is due to insufficient input validation of some parameters that are passed to the web server of the affected system. An attacker could exploit this vulnerability by convincing a user to follow a malicious link or by intercepting a user request on an affected device. A successful exploit could allow the attacker to perform cross-site scripting attacks, web cache poisoning, access sensitive browser-based information, and similar exploits. This component supports functions such as self-service voice service, call distribution, and customer access control

Trust: 1.71

sources: NVD: CVE-2019-15259 // JVNDB: JVNDB-2019-010440 // VULHUB: VHN-147287

AFFECTED PRODUCTS

vendor:	cisco	model:	unified contact center express	scope:	eq	version:	12.0\(1\)	Trust: 1.0
vendor:	cisco	model:	unified contact center express	scope:	lt	version:	11.6\(2\)	Trust: 1.0
vendor:	cisco	model:	unified contact center express	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2019-010440 // NVD: CVE-2019-15259

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-15259
value:	MEDIUM
Trust: 1.0
ykramarz@cisco.com:	CVE-2019-15259
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-15259
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201910-144
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-147287
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-15259
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-147287
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

ykramarz@cisco.com:	CVE-2019-15259
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.0
Trust: 1.8
nvd@nist.gov:	CVE-2019-15259
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 1.0

sources: VULHUB: VHN-147287 // JVNDB: JVNDB-2019-010440 // CNNVD: CNNVD-201910-144 // NVD: CVE-2019-15259 // NVD: CVE-2019-15259

PROBLEMTYPE DATA

problemtype:	CWE-74	Trust: 1.1
problemtype:	CWE-113	Trust: 1.0
problemtype:	CWE-20	Trust: 0.9

sources: VULHUB: VHN-147287 // JVNDB: JVNDB-2019-010440 // NVD: CVE-2019-15259

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201910-144

TYPE

injection

Trust: 0.6

sources: CNNVD: CNNVD-201910-144

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-010440

PATCH

title:	cisco-sa-20191002-uccx-http	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191002-uccx-http	Trust: 0.8
title:	Cisco Unified Contact Center Express Repair measures for injecting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=98879	Trust: 0.6

sources: JVNDB: JVNDB-2019-010440 // CNNVD: CNNVD-201910-144

EXTERNAL IDS

db:	NVD	id:	CVE-2019-15259	Trust: 2.5
db:	JVNDB	id:	JVNDB-2019-010440	Trust: 0.8
db:	CNNVD	id:	CNNVD-201910-144	Trust: 0.7
db:	AUSCERT	id:	ESB-2019.3727	Trust: 0.6
db:	VULHUB	id:	VHN-147287	Trust: 0.1

sources: VULHUB: VHN-147287 // JVNDB: JVNDB-2019-010440 // CNNVD: CNNVD-201910-144 // NVD: CVE-2019-15259

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2019-15259	Trust: 1.4
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20191002-uccx-http	Trust: 1.1
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-15259	Trust: 0.8
url:	http	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2019.3727/	Trust: 0.6
url:	https://vigilance.fr/vulnerability/cisco-unified-contact-center-express-information-disclosure-via-http-response-splitting-30521	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20191002-uccx-	Trust: 0.6

sources: VULHUB: VHN-147287 // JVNDB: JVNDB-2019-010440 // CNNVD: CNNVD-201910-144 // NVD: CVE-2019-15259

SOURCES

db:	VULHUB	id:	VHN-147287
db:	JVNDB	id:	JVNDB-2019-010440
db:	CNNVD	id:	CNNVD-201910-144
db:	NVD	id:	CVE-2019-15259

LAST UPDATE DATE

2024-08-14T14:04:10.940000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-147287	date:	2020-10-16T00:00:00
db:	JVNDB	id:	JVNDB-2019-010440	date:	2019-10-15T00:00:00
db:	CNNVD	id:	CNNVD-201910-144	date:	2020-10-21T00:00:00
db:	NVD	id:	CVE-2019-15259	date:	2020-10-16T13:16:59.520

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-147287	date:	2019-10-02T00:00:00
db:	JVNDB	id:	JVNDB-2019-010440	date:	2019-10-15T00:00:00
db:	CNNVD	id:	CNNVD-201910-144	date:	2019-10-02T00:00:00
db:	NVD	id:	CVE-2019-15259	date:	2019-10-02T19:15:15.297