ID

VAR-202111-0419


CVE

CVE-2021-34773


TITLE

plural  Cisco Unified Communications Manager  Cross-site request forgery vulnerability in product

Trust: 0.8

sources: JVNDB: JVNDB-2021-014481

DESCRIPTION

A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected device. This vulnerability is due to insufficient CSRF protections for the web-based management interface on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the targeted user. These actions could include modifying the device configuration and deleting (but not creating) user accounts. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution. Attackers can use this vulnerability to send unexpected requests to the server

Trust: 1.8

sources: NVD: CVE-2021-34773 // JVNDB: JVNDB-2021-014481 // VULHUB: VHN-395015 // VULMON: CVE-2021-34773

AFFECTED PRODUCTS

vendor:ciscomodel:unified communications managerscope:eqversion:14.0\(1.10000.20\)

Trust: 1.0

vendor:ciscomodel:unified communications manager im and presence servicescope:eqversion:14.0

Trust: 1.0

vendor:ciscomodel:unified communications manager im and presence servicescope:eqversion:11.5\(1\)

Trust: 1.0

vendor:ciscomodel:unified communications manager im and presence servicescope:eqversion:10.5\(2\)

Trust: 1.0

vendor:ciscomodel:unified communications managerscope:eqversion: -

Trust: 1.0

vendor:ciscomodel:unified communications manager im and presence servicescope:eqversion:12.5

Trust: 1.0

vendor:シスコシステムズmodel:cisco unified communications managerscope: - version: -

Trust: 0.8

vendor:シスコシステムズmodel:cisco unified communications manager im and presence servicescope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2021-014481 // NVD: CVE-2021-34773

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-34773
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2021-34773
value: MEDIUM

Trust: 1.0

NVD: CVE-2021-34773
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202111-399
value: MEDIUM

Trust: 0.6

VULHUB: VHN-395015
value: MEDIUM

Trust: 0.1

VULMON: CVE-2021-34773
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-34773
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-395015
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-34773
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.1

Trust: 2.0

NVD: CVE-2021-34773
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-395015 // VULMON: CVE-2021-34773 // JVNDB: JVNDB-2021-014481 // CNNVD: CNNVD-202111-399 // NVD: CVE-2021-34773 // NVD: CVE-2021-34773

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.1

problemtype:Cross-site request forgery (CWE-352) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-395015 // JVNDB: JVNDB-2021-014481 // NVD: CVE-2021-34773

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202111-399

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-202111-399

PATCH

title:cisco-sa-ucm-csrf-xrTkDu3Hurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucm-csrf-xrTkDu3H

Trust: 0.8

title:Cisco Unified Communications Manager Fixes for cross-site request forgery vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=168542

Trust: 0.6

title:Cisco: Cisco Unified Communications Products Cross-Site Request Forgery Vulnerabilityurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-ucm-csrf-xrTkDu3H

Trust: 0.1

sources: VULMON: CVE-2021-34773 // JVNDB: JVNDB-2021-014481 // CNNVD: CNNVD-202111-399

EXTERNAL IDS

db:NVDid:CVE-2021-34773

Trust: 3.4

db:JVNDBid:JVNDB-2021-014481

Trust: 0.8

db:CNNVDid:CNNVD-202111-399

Trust: 0.7

db:CS-HELPid:SB2021110405

Trust: 0.6

db:AUSCERTid:ESB-2021.3686

Trust: 0.6

db:CNVDid:CNVD-2021-103095

Trust: 0.1

db:VULHUBid:VHN-395015

Trust: 0.1

db:VULMONid:CVE-2021-34773

Trust: 0.1

sources: VULHUB: VHN-395015 // VULMON: CVE-2021-34773 // JVNDB: JVNDB-2021-014481 // CNNVD: CNNVD-202111-399 // NVD: CVE-2021-34773

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-ucm-csrf-xrtkdu3h

Trust: 2.5

url:https://nvd.nist.gov/vuln/detail/cve-2021-34773

Trust: 1.4

url:https://www.auscert.org.au/bulletins/esb-2021.3686

Trust: 0.6

url:https://vigilance.fr/vulnerability/cisco-unified-communications-manager-cross-site-request-forgery-36813

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021110405

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/352.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULHUB: VHN-395015 // VULMON: CVE-2021-34773 // JVNDB: JVNDB-2021-014481 // CNNVD: CNNVD-202111-399 // NVD: CVE-2021-34773

SOURCES

db:VULHUBid:VHN-395015
db:VULMONid:CVE-2021-34773
db:JVNDBid:JVNDB-2021-014481
db:CNNVDid:CNNVD-202111-399
db:NVDid:CVE-2021-34773

LAST UPDATE DATE

2024-08-14T13:23:10.882000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-395015date:2021-11-06T00:00:00
db:VULMONid:CVE-2021-34773date:2021-11-06T00:00:00
db:JVNDBid:JVNDB-2021-014481date:2022-10-19T07:36:00
db:CNNVDid:CNNVD-202111-399date:2021-11-15T00:00:00
db:NVDid:CVE-2021-34773date:2023-11-07T03:36:22.220

SOURCES RELEASE DATE

db:VULHUBid:VHN-395015date:2021-11-04T00:00:00
db:VULMONid:CVE-2021-34773date:2021-11-04T00:00:00
db:JVNDBid:JVNDB-2021-014481date:2022-10-19T00:00:00
db:CNNVDid:CNNVD-202111-399date:2021-11-03T00:00:00
db:NVDid:CVE-2021-34773date:2021-11-04T16:15:08.730