ID

VAR-202006-1112


CVE

CVE-2020-3267


TITLE

Cisco Unified Contact Center Express Vulnerability in externally accessible files or directories in

Trust: 0.8

sources: JVNDB: JVNDB-2020-006459

DESCRIPTION

A vulnerability in the API subsystem of Cisco Unified Contact Center Express (Unified CCX) could allow an authenticated, remote attacker to change the availability state of any agent. The vulnerability is due to insufficient authorization enforcement on an affected system. An attacker could exploit this vulnerability by authenticating to an affected system with valid agent credentials and performing a specific API call with crafted input. A successful exploit could allow the attacker to change the availability state of an agent, potentially causing a denial of service condition. This component supports functions such as self-service voice service, call distribution, and customer access control

Trust: 1.8

sources: NVD: CVE-2020-3267 // JVNDB: JVNDB-2020-006459 // VULHUB: VHN-181392 // VULMON: CVE-2020-3267

AFFECTED PRODUCTS

vendor:ciscomodel:unified contact center expressscope:ltversion:12.5\(1\)

Trust: 1.0

vendor:ciscomodel:unified contact center expressscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2020-006459 // NVD: CVE-2020-3267

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-3267
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2020-3267
value: MEDIUM

Trust: 1.0

NVD: JVNDB-2020-006459
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202006-365
value: HIGH

Trust: 0.6

VULHUB: VHN-181392
value: MEDIUM

Trust: 0.1

VULMON: CVE-2020-3267
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-3267
severity: MEDIUM
baseScore: 5.5
vectorString: AV:N/AC:L/AU:S/C:N/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

NVD: JVNDB-2020-006459
severity: MEDIUM
baseScore: 5.5
vectorString: AV:N/AC:L/AU:S/C:N/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-181392
severity: MEDIUM
baseScore: 5.5
vectorString: AV:N/AC:L/AU:S/C:N/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-3267
baseSeverity: HIGH
baseScore: 7.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 4.2
version: 3.1

Trust: 1.0

ykramarz@cisco.com: CVE-2020-3267
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 2.8
impactScore: 2.5
version: 3.0

Trust: 1.0

NVD: JVNDB-2020-006459
baseSeverity: HIGH
baseScore: 7.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-181392 // VULMON: CVE-2020-3267 // JVNDB: JVNDB-2020-006459 // CNNVD: CNNVD-202006-365 // NVD: CVE-2020-3267 // NVD: CVE-2020-3267

PROBLEMTYPE DATA

problemtype:CWE-552

Trust: 1.9

problemtype:CWE-285

Trust: 1.0

sources: VULHUB: VHN-181392 // JVNDB: JVNDB-2020-006459 // NVD: CVE-2020-3267

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202006-365

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-202006-365

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-006459

PATCH

title:cisco-sa-uccx-api-auth-WSx4v7sBurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-uccx-api-auth-WSx4v7sB

Trust: 0.8

title:Cisco Unified Contact Center Express Remediation measures for authorization problem vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=121528

Trust: 0.6

title:Cisco: Cisco Unified Contact Center Express Improper API Authorization Vulnerabilityurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-uccx-api-auth-WSx4v7sB

Trust: 0.1

sources: VULMON: CVE-2020-3267 // JVNDB: JVNDB-2020-006459 // CNNVD: CNNVD-202006-365

EXTERNAL IDS

db:NVDid:CVE-2020-3267

Trust: 2.6

db:JVNDBid:JVNDB-2020-006459

Trust: 0.8

db:CNNVDid:CNNVD-202006-365

Trust: 0.7

db:NSFOCUSid:47280

Trust: 0.6

db:AUSCERTid:ESB-2020.1958

Trust: 0.6

db:VULHUBid:VHN-181392

Trust: 0.1

db:VULMONid:CVE-2020-3267

Trust: 0.1

sources: VULHUB: VHN-181392 // VULMON: CVE-2020-3267 // JVNDB: JVNDB-2020-006459 // CNNVD: CNNVD-202006-365 // NVD: CVE-2020-3267

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-uccx-api-auth-wsx4v7sb

Trust: 1.9

url:https://nvd.nist.gov/vuln/detail/cve-2020-3267

Trust: 1.4

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-3267

Trust: 0.8

url:https://vigilance.fr/vulnerability/cisco-unified-contact-center-express-denial-of-service-via-api-32429

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.1958/

Trust: 0.6

url:http://www.nsfocus.net/vulndb/47280

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/552.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULHUB: VHN-181392 // VULMON: CVE-2020-3267 // JVNDB: JVNDB-2020-006459 // CNNVD: CNNVD-202006-365 // NVD: CVE-2020-3267

SOURCES

db:VULHUBid:VHN-181392
db:VULMONid:CVE-2020-3267
db:JVNDBid:JVNDB-2020-006459
db:CNNVDid:CNNVD-202006-365
db:NVDid:CVE-2020-3267

LAST UPDATE DATE

2024-08-14T14:25:43.377000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-181392date:2020-06-12T00:00:00
db:VULMONid:CVE-2020-3267date:2020-06-12T00:00:00
db:JVNDBid:JVNDB-2020-006459date:2020-07-09T00:00:00
db:CNNVDid:CNNVD-202006-365date:2020-07-28T00:00:00
db:NVDid:CVE-2020-3267date:2020-06-12T18:30:14.600

SOURCES RELEASE DATE

db:VULHUBid:VHN-181392date:2020-06-03T00:00:00
db:VULMONid:CVE-2020-3267date:2020-06-03T00:00:00
db:JVNDBid:JVNDB-2020-006459date:2020-07-09T00:00:00
db:CNNVDid:CNNVD-202006-365date:2020-06-03T00:00:00
db:NVDid:CVE-2020-3267date:2020-06-03T18:15:22.090