Sign-up

ID

VAR-202006-1112


CVE

CVE-2020-3267


TITLE

Cisco Unified Contact Center Express Vulnerability in externally accessible files or directories in

Trust: 0.8

sources: JVNDB: JVNDB-2020-006459

DESCRIPTION

A vulnerability in the API subsystem of Cisco Unified Contact Center Express (Unified CCX) could allow an authenticated, remote attacker to change the availability state of any agent. The vulnerability is due to insufficient authorization enforcement on an affected system. An attacker could exploit this vulnerability by authenticating to an affected system with valid agent credentials and performing a specific API call with crafted input. A successful exploit could allow the attacker to change the availability state of an agent, potentially causing a denial of service condition. This component supports functions such as self-service voice service, call distribution, and customer access control

Trust: 1.8

sources: NVD: CVE-2020-3267 // JVNDB: JVNDB-2020-006459 // VULHUB: VHN-181392 // VULMON: CVE-2020-3267

AFFECTED PRODUCTS

vendor:ciscomodel:unified contact center expressscope:ltversion:12.5\(1\)

Trust: 1.0

vendor:ciscomodel:unified contact center expressscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2020-006459 // NVD: CVE-2020-3267

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-3267
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2020-3267
value: MEDIUM

Trust: 1.0

NVD: JVNDB-2020-006459
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202006-365
value: HIGH

Trust: 0.6

VULHUB: VHN-181392
value: MEDIUM

Trust: 0.1

VULMON: CVE-2020-3267
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-3267
severity: MEDIUM
baseScore: 5.5
vectorString: AV:N/AC:L/AU:S/C:N/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

NVD: JVNDB-2020-006459
severity: MEDIUM
baseScore: 5.5
vectorString: AV:N/AC:L/AU:S/C:N/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-181392
severity: MEDIUM
baseScore: 5.5
vectorString: AV:N/AC:L/AU:S/C:N/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-3267
baseSeverity: HIGH
baseScore: 7.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 4.2
version: 3.1

Trust: 1.0

ykramarz@cisco.com: CVE-2020-3267
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 2.8
impactScore: 2.5
version: 3.0

Trust: 1.0

NVD: JVNDB-2020-006459
baseSeverity: HIGH
baseScore: 7.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-181392 // VULMON: CVE-2020-3267 // JVNDB: JVNDB-2020-006459 // CNNVD: CNNVD-202006-365 // NVD: CVE-2020-3267 // NVD: CVE-2020-3267

PROBLEMTYPE DATA

problemtype:CWE-552

Trust: 1.9

problemtype:CWE-285

Trust: 1.0

sources: VULHUB: VHN-181392 // JVNDB: JVNDB-2020-006459 // NVD: CVE-2020-3267

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202006-365

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-202006-365

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-006459

PATCH
title:cisco-sa-uccx-api-auth-WSx4v7sBurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-uccx-api-auth-WSx4v7sB
Trust: 0.8
title:Cisco Unified Contact Center Express Remediation measures for authorization problem vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=121528
Trust: 0.6
title:Cisco: Cisco Unified Contact Center Express Improper API Authorization Vulnerabilityurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-uccx-api-auth-WSx4v7sB
Trust: 0.1
sources:
            
            
            VULMON: CVE-2020-3267 // 
            
            
            
            JVNDB: JVNDB-2020-006459 // 
            
            
            
            CNNVD: CNNVD-202006-365

EXTERNAL IDS
db:NVDid:CVE-2020-3267
Trust: 2.6
db:JVNDBid:JVNDB-2020-006459
Trust: 0.8
db:CNNVDid:CNNVD-202006-365
Trust: 0.7
db:NSFOCUSid:47280
Trust: 0.6
db:AUSCERTid:ESB-2020.1958
Trust: 0.6
db:VULHUBid:VHN-181392
Trust: 0.1
db:VULMONid:CVE-2020-3267
Trust: 0.1
sources:
            
            
            VULHUB: VHN-181392 // 
            
            
            
            VULMON: CVE-2020-3267 // 
            
            
            
            JVNDB: JVNDB-2020-006459 // 
            
            
            
            CNNVD: CNNVD-202006-365 // 
            
            
            
            NVD: CVE-2020-3267

REFERENCES
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-uccx-api-auth-wsx4v7sb
Trust: 1.9
url:https://nvd.nist.gov/vuln/detail/cve-2020-3267
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-3267
Trust: 0.8
url:https://vigilance.fr/vulnerability/cisco-unified-contact-center-express-denial-of-service-via-api-32429
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2020.1958/
Trust: 0.6
url:http://www.nsfocus.net/vulndb/47280
Trust: 0.6
url:https://cwe.mitre.org/data/definitions/552.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            VULHUB: VHN-181392 // 
            
            
            
            VULMON: CVE-2020-3267 // 
            
            
            
            JVNDB: JVNDB-2020-006459 // 
            
            
            
            CNNVD: CNNVD-202006-365 // 
            
            
            
            NVD: CVE-2020-3267

SOURCES
db:VULHUBid:VHN-181392
db:VULMONid:CVE-2020-3267
db:JVNDBid:JVNDB-2020-006459
db:CNNVDid:CNNVD-202006-365
db:NVDid:CVE-2020-3267

LAST UPDATE DATE
2024-08-14T14:25:43.377000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-181392date:2020-06-12T00:00:00
db:VULMONid:CVE-2020-3267date:2020-06-12T00:00:00
db:JVNDBid:JVNDB-2020-006459date:2020-07-09T00:00:00
db:CNNVDid:CNNVD-202006-365date:2020-07-28T00:00:00
db:NVDid:CVE-2020-3267date:2020-06-12T18:30:14.600

SOURCES RELEASE DATE
db:VULHUBid:VHN-181392date:2020-06-03T00:00:00
db:VULMONid:CVE-2020-3267date:2020-06-03T00:00:00
db:JVNDBid:JVNDB-2020-006459date:2020-07-09T00:00:00
db:CNNVDid:CNNVD-202006-365date:2020-06-03T00:00:00
db:NVDid:CVE-2020-3267date:2020-06-03T18:15:22.090