Details of VAR-202111-0419

ID

VAR-202111-0419

CVE

CVE-2021-34773

TITLE

plural Cisco Unified Communications Manager Cross-site request forgery vulnerability in product

Trust: 0.8

sources: JVNDB: JVNDB-2021-014481

DESCRIPTION

A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected device. This vulnerability is due to insufficient CSRF protections for the web-based management interface on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the targeted user. These actions could include modifying the device configuration and deleting (but not creating) user accounts. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution. Attackers can use this vulnerability to send unexpected requests to the server

Trust: 1.8

sources: NVD: CVE-2021-34773 // JVNDB: JVNDB-2021-014481 // VULHUB: VHN-395015 // VULMON: CVE-2021-34773

AFFECTED PRODUCTS

vendor:	cisco	model:	unified communications manager	scope:	eq	version:	14.0\(1.10000.20\)	Trust: 1.0
vendor:	cisco	model:	unified communications manager im and presence service	scope:	eq	version:	14.0	Trust: 1.0
vendor:	cisco	model:	unified communications manager im and presence service	scope:	eq	version:	11.5\(1\)	Trust: 1.0
vendor:	cisco	model:	unified communications manager im and presence service	scope:	eq	version:	10.5\(2\)	Trust: 1.0
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	-	Trust: 1.0
vendor:	cisco	model:	unified communications manager im and presence service	scope:	eq	version:	12.5	Trust: 1.0
vendor:	シスコシステムズ	model:	cisco unified communications manager	scope:	-	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco unified communications manager im and presence service	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-014481 // NVD: CVE-2021-34773

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-34773
value:	MEDIUM
Trust: 1.0
ykramarz@cisco.com:	CVE-2021-34773
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2021-34773
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202111-399
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-395015
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2021-34773
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-34773
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-395015
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-34773
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.1
Trust: 2.0
NVD:	CVE-2021-34773
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-395015 // VULMON: CVE-2021-34773 // JVNDB: JVNDB-2021-014481 // CNNVD: CNNVD-202111-399 // NVD: CVE-2021-34773 // NVD: CVE-2021-34773

PROBLEMTYPE DATA

problemtype:	CWE-352	Trust: 1.1
problemtype:	Cross-site request forgery (CWE-352) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-395015 // JVNDB: JVNDB-2021-014481 // NVD: CVE-2021-34773

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202111-399

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-202111-399

PATCH

title:	cisco-sa-ucm-csrf-xrTkDu3H	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucm-csrf-xrTkDu3H	Trust: 0.8
title:	Cisco Unified Communications Manager Fixes for cross-site request forgery vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=168542	Trust: 0.6
title:	Cisco: Cisco Unified Communications Products Cross-Site Request Forgery Vulnerability	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-ucm-csrf-xrTkDu3H	Trust: 0.1

sources: VULMON: CVE-2021-34773 // JVNDB: JVNDB-2021-014481 // CNNVD: CNNVD-202111-399

EXTERNAL IDS

db:	NVD	id:	CVE-2021-34773	Trust: 3.4
db:	JVNDB	id:	JVNDB-2021-014481	Trust: 0.8
db:	CNNVD	id:	CNNVD-202111-399	Trust: 0.7
db:	CS-HELP	id:	SB2021110405	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.3686	Trust: 0.6
db:	CNVD	id:	CNVD-2021-103095	Trust: 0.1
db:	VULHUB	id:	VHN-395015	Trust: 0.1
db:	VULMON	id:	CVE-2021-34773	Trust: 0.1

sources: VULHUB: VHN-395015 // VULMON: CVE-2021-34773 // JVNDB: JVNDB-2021-014481 // CNNVD: CNNVD-202111-399 // NVD: CVE-2021-34773

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-ucm-csrf-xrtkdu3h	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2021-34773	Trust: 1.4
url:	https://www.auscert.org.au/bulletins/esb-2021.3686	Trust: 0.6
url:	https://vigilance.fr/vulnerability/cisco-unified-communications-manager-cross-site-request-forgery-36813	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021110405	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/352.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-395015 // VULMON: CVE-2021-34773 // JVNDB: JVNDB-2021-014481 // CNNVD: CNNVD-202111-399 // NVD: CVE-2021-34773

SOURCES

db:	VULHUB	id:	VHN-395015
db:	VULMON	id:	CVE-2021-34773
db:	JVNDB	id:	JVNDB-2021-014481
db:	CNNVD	id:	CNNVD-202111-399
db:	NVD	id:	CVE-2021-34773

LAST UPDATE DATE

2024-08-14T13:23:10.882000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-395015	date:	2021-11-06T00:00:00
db:	VULMON	id:	CVE-2021-34773	date:	2021-11-06T00:00:00
db:	JVNDB	id:	JVNDB-2021-014481	date:	2022-10-19T07:36:00
db:	CNNVD	id:	CNNVD-202111-399	date:	2021-11-15T00:00:00
db:	NVD	id:	CVE-2021-34773	date:	2023-11-07T03:36:22.220

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-395015	date:	2021-11-04T00:00:00
db:	VULMON	id:	CVE-2021-34773	date:	2021-11-04T00:00:00
db:	JVNDB	id:	JVNDB-2021-014481	date:	2022-10-19T00:00:00
db:	CNNVD	id:	CNNVD-202111-399	date:	2021-11-03T00:00:00
db:	NVD	id:	CVE-2021-34773	date:	2021-11-04T16:15:08.730