ID

VAR-202101-1018


CVE

CVE-2021-1246


TITLE

Cisco Finesse  Cross-site Scripting Vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2021-002764

DESCRIPTION

Cisco Finesse, Cisco Virtualized Voice Browser, and Cisco Unified CVP OpenSocial Gadget Editor Unauthenticated Access Vulnerability A vulnerability in the web management interface of Cisco Finesse, Cisco Virtualized Voice Browser, and Cisco Unified CVP could allow an unauthenticated, remote attacker to access the OpenSocial Gadget Editor without providing valid user credentials. The vulnerability is due to missing authentication for a specific section of the web-based management interface. An attacker could exploit this vulnerability by accessing a crafted URL. A successful exploit could allow the attacker to obtain access to a section of the interface, which they could use to obtain potentially confidential information and create arbitrary XML files. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. Cisco Finesse Contains a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. Cisco Finesse is a set of call center management software developed by Cisco

Trust: 1.71

sources: NVD: CVE-2021-1246 // JVNDB: JVNDB-2021-002764 // VULHUB: VHN-374300

AFFECTED PRODUCTS

vendor:ciscomodel:finessescope:ltversion:12.0\(1\)

Trust: 1.0

vendor:ciscomodel:finessescope:eqversion:12.5\(1\)

Trust: 1.0

vendor:ciscomodel:finessescope:eqversion:12.0\(1\)

Trust: 1.0

vendor:シスコシステムズmodel:cisco finessescope: - version: -

Trust: 0.8

vendor:シスコシステムズmodel:cisco finessescope:eqversion: -

Trust: 0.8

sources: JVNDB: JVNDB-2021-002764 // NVD: CVE-2021-1246

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-1246
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2021-1246
value: MEDIUM

Trust: 1.0

NVD: CVE-2021-1246
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202101-957
value: MEDIUM

Trust: 0.6

VULHUB: VHN-374300
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-1246
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-374300
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-1246
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.1

Trust: 1.0

ykramarz@cisco.com: CVE-2021-1246
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.5
version: 3.1

Trust: 1.0

NVD: CVE-2021-1246
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-374300 // JVNDB: JVNDB-2021-002764 // CNNVD: CNNVD-202101-957 // NVD: CVE-2021-1246 // NVD: CVE-2021-1246

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.1

problemtype:CWE-306

Trust: 1.0

problemtype:Cross-site scripting (CWE-79) [NVD Evaluation ]

Trust: 0.8

sources: VULHUB: VHN-374300 // JVNDB: JVNDB-2021-002764 // NVD: CVE-2021-1246

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202101-957

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202101-957

PATCH

title:cisco-sa-multi-vuln-finesse-qp6gbUO2url:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-multi-vuln-finesse-qp6gbUO2

Trust: 0.8

title:Cisco Finesse Fixes for access control error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=139419

Trust: 0.6

sources: JVNDB: JVNDB-2021-002764 // CNNVD: CNNVD-202101-957

EXTERNAL IDS

db:NVDid:CVE-2021-1246

Trust: 2.5

db:JVNDBid:JVNDB-2021-002764

Trust: 0.8

db:AUSCERTid:ESB-2021.0146

Trust: 0.6

db:CNNVDid:CNNVD-202101-957

Trust: 0.6

db:VULHUBid:VHN-374300

Trust: 0.1

sources: VULHUB: VHN-374300 // JVNDB: JVNDB-2021-002764 // CNNVD: CNNVD-202101-957 // NVD: CVE-2021-1246

REFERENCES

url:https://nvd.nist.gov/vuln/detail/cve-2021-1246

Trust: 1.4

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-multi-vuln-finesse-qp6gbuo2

Trust: 1.3

url:https://sec.cloudapps.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-multi-vuln-finesse-qp6gbuo2

Trust: 1.0

url:https://www.auscert.org.au/bulletins/esb-2021.0146/

Trust: 0.6

sources: VULHUB: VHN-374300 // JVNDB: JVNDB-2021-002764 // CNNVD: CNNVD-202101-957 // NVD: CVE-2021-1246

SOURCES

db:VULHUBid:VHN-374300
db:JVNDBid:JVNDB-2021-002764
db:CNNVDid:CNNVD-202101-957
db:NVDid:CVE-2021-1246

LAST UPDATE DATE

2024-09-11T22:58:58.907000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-374300date:2021-01-20T00:00:00
db:JVNDBid:JVNDB-2021-002764date:2021-09-30T08:32:00
db:CNNVDid:CNNVD-202101-957date:2021-01-21T00:00:00
db:NVDid:CVE-2021-1246date:2024-09-11T16:15:04.190

SOURCES RELEASE DATE

db:VULHUBid:VHN-374300date:2021-01-13T00:00:00
db:JVNDBid:JVNDB-2021-002764date:2021-09-30T00:00:00
db:CNNVDid:CNNVD-202101-957date:2021-01-13T00:00:00
db:NVDid:CVE-2021-1246date:2021-01-13T22:15:21.193