Sign-up

ID

VAR-202101-0786


CVE

CVE-2021-1144


TITLE

Cisco Connected Mobile Experiences access control error vulnerability

Trust: 1.2

sources: CNVD: CNVD-2021-03256 // CNNVD: CNNVD-202101-1034

DESCRIPTION

A vulnerability in Cisco Connected Mobile Experiences (CMX) could allow a remote, authenticated attacker without administrative privileges to alter the password of any user on an affected system. The vulnerability is due to incorrect handling of authorization checks for changing a password. An authenticated attacker without administrative privileges could exploit this vulnerability by sending a modified HTTP request to an affected device. A successful exploit could allow the attacker to alter the passwords of any user on the system, including an administrative user, and then impersonate that user. Cisco Connected Mobile Experiences (CMX) Contains an improper authentication vulnerability.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Cisco Connected Mobile Experiences is a connected mobile experience of Cisco in the United States. No detailed vulnerability details are currently provided

Trust: 2.34

sources: NVD: CVE-2021-1144 // JVNDB: JVNDB-2021-002778 // CNVD: CNVD-2021-03256 // VULHUB: VHN-374198 // VULMON: CVE-2021-1144

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2021-03256

AFFECTED PRODUCTS

vendor:ciscomodel:connected mobile experiencesscope:eqversion:10.6.2

Trust: 1.0

vendor:ciscomodel:connected mobile experiencesscope:eqversion:10.6.0

Trust: 1.0

vendor:ciscomodel:connected mobile experiencesscope:eqversion:10.6.1

Trust: 1.0

vendor:シスコシステムズmodel:cisco connected mobile experiencesscope: - version: -

Trust: 0.8

vendor:シスコシステムズmodel:cisco connected mobile experiencesscope:eqversion: -

Trust: 0.8

vendor:ciscomodel:connected mobile experiencesscope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2021-03256 // JVNDB: JVNDB-2021-002778 // NVD: CVE-2021-1144

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-1144
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2021-1144
value: HIGH

Trust: 1.0

NVD: CVE-2021-1144
value: HIGH

Trust: 0.8

CNVD: CNVD-2021-03256
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202101-1034
value: HIGH

Trust: 0.6

VULHUB: VHN-374198
value: MEDIUM

Trust: 0.1

VULMON: CVE-2021-1144
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-1144
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2021-03256
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-374198
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-1144
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 2.0

NVD: CVE-2021-1144
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2021-03256 // VULHUB: VHN-374198 // VULMON: CVE-2021-1144 // JVNDB: JVNDB-2021-002778 // CNNVD: CNNVD-202101-1034 // NVD: CVE-2021-1144 // NVD: CVE-2021-1144

PROBLEMTYPE DATA

problemtype:CWE-863

Trust: 1.1

problemtype:Bad authentication (CWE-863) [NVD Evaluation ]

Trust: 0.8

sources: VULHUB: VHN-374198 // JVNDB: JVNDB-2021-002778 // NVD: CVE-2021-1144

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202101-1034

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-202101-1034

PATCH

title:cisco-sa-cmxpe-75Asy9kurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cmxpe-75Asy9k

Trust: 0.8

title:Patch for Cisco Connected Mobile Experiences access control error vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/244336

Trust: 0.6

title:Cisco Connected Mobile Experiences Fixes for access control error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=139136

Trust: 0.6

title:Cisco: Cisco Connected Mobile Experiences Privilege Escalation Vulnerabilityurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-cmxpe-75Asy9k

Trust: 0.1

title:Threatposturl:https://threatpost.com/cisco-dna-center-bug-remote-attack/163302/

Trust: 0.1

title:Threatposturl:https://threatpost.com/cisco-flaw-cmx-software-retailers/163027/

Trust: 0.1

sources: CNVD: CNVD-2021-03256 // VULMON: CVE-2021-1144 // JVNDB: JVNDB-2021-002778 // CNNVD: CNNVD-202101-1034

EXTERNAL IDS

db:NVDid:CVE-2021-1144

Trust: 3.2

db:JVNDBid:JVNDB-2021-002778

Trust: 0.8

db:CNVDid:CNVD-2021-03256

Trust: 0.6

db:AUSCERTid:ESB-2021.0153

Trust: 0.6

db:CNNVDid:CNNVD-202101-1034

Trust: 0.6

db:VULHUBid:VHN-374198

Trust: 0.1

db:VULMONid:CVE-2021-1144

Trust: 0.1

sources: CNVD: CNVD-2021-03256 // VULHUB: VHN-374198 // VULMON: CVE-2021-1144 // JVNDB: JVNDB-2021-002778 // CNNVD: CNNVD-202101-1034 // NVD: CVE-2021-1144

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-cmxpe-75asy9k

Trust: 2.5

url:https://nvd.nist.gov/vuln/detail/cve-2021-1144

Trust: 2.0

url:https://www.auscert.org.au/bulletins/esb-2021.0153/

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/863.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://threatpost.com/cisco-dna-center-bug-remote-attack/163302/

Trust: 0.1

sources: CNVD: CNVD-2021-03256 // VULHUB: VHN-374198 // VULMON: CVE-2021-1144 // JVNDB: JVNDB-2021-002778 // CNNVD: CNNVD-202101-1034 // NVD: CVE-2021-1144

SOURCES

db:CNVDid:CNVD-2021-03256
db:VULHUBid:VHN-374198
db:VULMONid:CVE-2021-1144
db:JVNDBid:JVNDB-2021-002778
db:CNNVDid:CNNVD-202101-1034
db:NVDid:CVE-2021-1144

LAST UPDATE DATE

2024-11-23T23:04:07.417000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2021-03256date:2021-01-15T00:00:00
db:VULHUBid:VHN-374198date:2021-01-20T00:00:00
db:VULMONid:CVE-2021-1144date:2021-01-20T00:00:00
db:JVNDBid:JVNDB-2021-002778date:2021-10-01T05:54:00
db:CNNVDid:CNNVD-202101-1034date:2021-01-21T00:00:00
db:NVDid:CVE-2021-1144date:2024-11-21T05:43:41.157

SOURCES RELEASE DATE

db:CNVDid:CNVD-2021-03256date:2021-01-15T00:00:00
db:VULHUBid:VHN-374198date:2021-01-13T00:00:00
db:VULMONid:CVE-2021-1144date:2021-01-13T00:00:00
db:JVNDBid:JVNDB-2021-002778date:2021-10-01T00:00:00
db:CNNVDid:CNNVD-202101-1034date:2021-01-13T00:00:00
db:NVDid:CVE-2021-1144date:2021-01-13T22:15:14.723