Details of VAR-202105-0623

ID

VAR-202105-0623

CVE

CVE-2021-1530

TITLE

Cisco BroadWorks Messaging Server In software XML External entity vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2021-006590

DESCRIPTION

A vulnerability in the web-based management interface of Cisco BroadWorks Messaging Server Software could allow an authenticated, remote attacker to access sensitive information or cause a partial denial of service (DoS) condition on an affected system. This vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by uploading a crafted XML file that contains references to external entities. A successful exploit could allow the attacker to retrieve files from the local system, resulting in the disclosure of sensitive information, or cause the application to consume available resources, resulting in a partial DoS condition on an affected system. There are workarounds that address this vulnerability. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Cisco BroadWorks Messaging Server is a database server of Cisco (Cisco)

Trust: 2.34

sources: NVD: CVE-2021-1530 // JVNDB: JVNDB-2021-006590 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-374584 // VULMON: CVE-2021-1530

AFFECTED PRODUCTS

vendor:	cisco	model:	broadworks messaging server	scope:	eq	version:	22.0	Trust: 1.0
vendor:	シスコシステムズ	model:	cisco broadworks messaging server	scope:	-	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco broadworks messaging server	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-006590 // NVD: CVE-2021-1530

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-1530
value:	HIGH
Trust: 1.0
ykramarz@cisco.com:	CVE-2021-1530
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2021-1530
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202105-152
value:	HIGH
Trust: 0.6
VULHUB:	VHN-374584
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2021-1530
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-1530
severity:	MEDIUM
baseScore:	5.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-374584
severity:	MEDIUM
baseScore:	5.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-1530
baseSeverity:	HIGH
baseScore:	7.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	LOW
exploitabilityScore:	2.8
impactScore:	4.2
version:	3.1
Trust: 1.0
ykramarz@cisco.com:	CVE-2021-1530
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	LOW
exploitabilityScore:	2.8
impactScore:	2.5
version:	3.1
Trust: 1.0
NVD:	CVE-2021-1530
baseSeverity:	HIGH
baseScore:	7.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	LOW
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-374584 // VULMON: CVE-2021-1530 // JVNDB: JVNDB-2021-006590 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202105-152 // NVD: CVE-2021-1530 // NVD: CVE-2021-1530

PROBLEMTYPE DATA

problemtype:	CWE-611	Trust: 1.1
problemtype:	XML Improper restrictions on external entity references (CWE-611) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-374584 // JVNDB: JVNDB-2021-006590 // NVD: CVE-2021-1530

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202105-152

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:	cisco-sa-bwms-xxe-uSLrZgKs	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bwms-xxe-uSLrZgKs	Trust: 0.8
title:	Cisco BroadWorks Messaging Server Fixes for code issue vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=150790	Trust: 0.6
title:	Cisco: Cisco BroadWorks Messaging Server XML External Entity Injection Vulnerability	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-bwms-xxe-uSLrZgKs	Trust: 0.1

sources: VULMON: CVE-2021-1530 // JVNDB: JVNDB-2021-006590 // CNNVD: CNNVD-202105-152

EXTERNAL IDS

db:	NVD	id:	CVE-2021-1530	Trust: 3.4
db:	JVNDB	id:	JVNDB-2021-006590	Trust: 0.8
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.1532	Trust: 0.6
db:	CS-HELP	id:	SB2021050709	Trust: 0.6
db:	CNNVD	id:	CNNVD-202105-152	Trust: 0.6
db:	VULHUB	id:	VHN-374584	Trust: 0.1
db:	VULMON	id:	CVE-2021-1530	Trust: 0.1

sources: VULHUB: VHN-374584 // VULMON: CVE-2021-1530 // JVNDB: JVNDB-2021-006590 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202105-152 // NVD: CVE-2021-1530

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-bwms-xxe-uslrzgks	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2021-1530	Trust: 0.8
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021050709	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.1532	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/611.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-374584 // VULMON: CVE-2021-1530 // JVNDB: JVNDB-2021-006590 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202105-152 // NVD: CVE-2021-1530

SOURCES

db:	VULHUB	id:	VHN-374584
db:	VULMON	id:	CVE-2021-1530
db:	JVNDB	id:	JVNDB-2021-006590
db:	CNNVD	id:	CNNVD-202104-975
db:	CNNVD	id:	CNNVD-202105-152
db:	NVD	id:	CVE-2021-1530

LAST UPDATE DATE

2024-08-14T13:15:59.963000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-374584	date:	2021-05-14T00:00:00
db:	VULMON	id:	CVE-2021-1530	date:	2021-05-14T00:00:00
db:	JVNDB	id:	JVNDB-2021-006590	date:	2022-01-13T09:03:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202105-152	date:	2021-05-18T00:00:00
db:	NVD	id:	CVE-2021-1530	date:	2023-11-07T03:28:32.897

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-374584	date:	2021-05-06T00:00:00
db:	VULMON	id:	CVE-2021-1530	date:	2021-05-06T00:00:00
db:	JVNDB	id:	JVNDB-2021-006590	date:	2022-01-13T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202105-152	date:	2021-05-05T00:00:00
db:	NVD	id:	CVE-2021-1530	date:	2021-05-06T13:15:11.097