Sign-up

ID

VAR-202005-0695


CVE

CVE-2020-3256


TITLE

Cisco Hosted Collaboration Mediation Fulfillment In software XML External entity vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2020-005207

DESCRIPTION

A vulnerability in the web-based management interface of Cisco Hosted Collaboration Mediation Fulfillment (HCM-F) Software could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. To exploit this vulnerability, an attacker would need administrative privileges on the Cisco HCM-F Software. The vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by sending malicious requests that contain references in XML entities to an affected system. A successful exploit could allow the attacker to retrieve files from the local system, resulting in the disclosure of sensitive information. The product offers inventory management, license management, service provider toolkits, and more. A code issue vulnerability exists in the Web-based management interface in Cisco HCM-F Software Release prior to 12.5(1)SU2

Trust: 1.8

sources: NVD: CVE-2020-3256 // JVNDB: JVNDB-2020-005207 // VULHUB: VHN-181381 // VULMON: CVE-2020-3256

AFFECTED PRODUCTS

vendor:ciscomodel:hosted collaboration mediation fulfillmentscope:ltversion:12.5\(1\)su2

Trust: 1.0

vendor:ciscomodel:hosted collaboration mediation fulfillmentscope: - version: -

Trust: 0.8

vendor:ciscomodel:hosted collaboration mediation fulfillmentscope:eqversion:11.5

Trust: 0.1

vendor:ciscomodel:hosted collaboration mediation fulfillmentscope:eqversion:11.5(3)

Trust: 0.1

sources: VULMON: CVE-2020-3256 // JVNDB: JVNDB-2020-005207 // NVD: CVE-2020-3256

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-3256
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2020-3256
value: MEDIUM

Trust: 1.0

NVD: JVNDB-2020-005207
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202005-210
value: MEDIUM

Trust: 0.6

VULHUB: VHN-181381
value: MEDIUM

Trust: 0.1

VULMON: CVE-2020-3256
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-3256
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

NVD: JVNDB-2020-005207
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-181381
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-3256
baseSeverity: MEDIUM
baseScore: 4.9
vectorString: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 1.2
impactScore: 3.6
version: 3.1

Trust: 1.0

ykramarz@cisco.com: CVE-2020-3256
baseSeverity: MEDIUM
baseScore: 4.9
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 1.2
impactScore: 3.6
version: 3.0

Trust: 1.0

NVD: JVNDB-2020-005207
baseSeverity: MEDIUM
baseScore: 4.9
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-181381 // VULMON: CVE-2020-3256 // JVNDB: JVNDB-2020-005207 // CNNVD: CNNVD-202005-210 // NVD: CVE-2020-3256 // NVD: CVE-2020-3256

PROBLEMTYPE DATA

problemtype:CWE-611

Trust: 1.9

sources: VULHUB: VHN-181381 // JVNDB: JVNDB-2020-005207 // NVD: CVE-2020-3256

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202005-210

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202005-210

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-005207

PATCH
title:cisco-sa-hcmf-xxe-qqCMAUJ2url:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hcmf-xxe-qqCMAUJ2
Trust: 0.8
title:Cisco Hosted Collaboration Mediation Fulfillment Software Fixes for code issue vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=117812
Trust: 0.6
title:Cisco: Cisco Hosted Collaboration Mediation Fulfillment XML External Expansion Vulnerabilityurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-hcmf-xxe-qqCMAUJ2
Trust: 0.1
sources:
            
            
            VULMON: CVE-2020-3256 // 
            
            
            
            JVNDB: JVNDB-2020-005207 // 
            
            
            
            CNNVD: CNNVD-202005-210

EXTERNAL IDS
db:NVDid:CVE-2020-3256
Trust: 2.6
db:JVNDBid:JVNDB-2020-005207
Trust: 0.8
db:CNNVDid:CNNVD-202005-210
Trust: 0.7
db:AUSCERTid:ESB-2020.1617
Trust: 0.6
db:CNVDid:CNVD-2020-27109
Trust: 0.1
db:VULHUBid:VHN-181381
Trust: 0.1
db:VULMONid:CVE-2020-3256
Trust: 0.1
sources:
            
            
            VULHUB: VHN-181381 // 
            
            
            
            VULMON: CVE-2020-3256 // 
            
            
            
            JVNDB: JVNDB-2020-005207 // 
            
            
            
            CNNVD: CNNVD-202005-210 // 
            
            
            
            NVD: CVE-2020-3256

REFERENCES
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-hcmf-xxe-qqcmauj2
Trust: 1.9
url:https://nvd.nist.gov/vuln/detail/cve-2020-3256
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-3256
Trust: 0.8
url:https://www.auscert.org.au/bulletins/esb-2020.1617/
Trust: 0.6
url:https://cwe.mitre.org/data/definitions/611.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            VULHUB: VHN-181381 // 
            
            
            
            VULMON: CVE-2020-3256 // 
            
            
            
            JVNDB: JVNDB-2020-005207 // 
            
            
            
            CNNVD: CNNVD-202005-210 // 
            
            
            
            NVD: CVE-2020-3256

SOURCES
db:VULHUBid:VHN-181381
db:VULMONid:CVE-2020-3256
db:JVNDBid:JVNDB-2020-005207
db:CNNVDid:CNNVD-202005-210
db:NVDid:CVE-2020-3256

LAST UPDATE DATE
2024-11-23T22:11:28.916000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-181381date:2020-05-12T00:00:00
db:VULMONid:CVE-2020-3256date:2020-05-12T00:00:00
db:JVNDBid:JVNDB-2020-005207date:2020-06-09T00:00:00
db:CNNVDid:CNNVD-202005-210date:2020-05-13T00:00:00
db:NVDid:CVE-2020-3256date:2024-11-21T05:30:40.163

SOURCES RELEASE DATE
db:VULHUBid:VHN-181381date:2020-05-06T00:00:00
db:VULMONid:CVE-2020-3256date:2020-05-06T00:00:00
db:JVNDBid:JVNDB-2020-005207date:2020-06-09T00:00:00
db:CNNVDid:CNNVD-202005-210date:2020-05-06T00:00:00
db:NVDid:CVE-2020-3256date:2020-05-06T17:15:12.713