Details of VAR-202201-1522

ID

VAR-202201-1522

CVE

CVE-2022-20658

TITLE

Cisco Unified Contact Center Management Portal and Cisco Unified Contact Center Domain Manager Vulnerability related to incorrect resource movement between regions in

Trust: 0.8

sources: JVNDB: JVNDB-2022-003017

DESCRIPTION

A vulnerability in the web-based management interface of Cisco Unified Contact Center Management Portal (Unified CCMP) and Cisco Unified Contact Center Domain Manager (Unified CCDM) could allow an authenticated, remote attacker to elevate their privileges to Administrator. This vulnerability is due to the lack of server-side validation of user permissions. An attacker could exploit this vulnerability by submitting a crafted HTTP request to a vulnerable system. A successful exploit could allow the attacker to create Administrator accounts. With these accounts, the attacker could access and modify telephony and user resources across all the Unified platforms that are associated to the vulnerable Cisco Unified CCMP. To successfully exploit this vulnerability, an attacker would need valid Advanced User credentials

Trust: 1.8

sources: NVD: CVE-2022-20658 // JVNDB: JVNDB-2022-003017 // VULHUB: VHN-405211 // VULMON: CVE-2022-20658

AFFECTED PRODUCTS

vendor:	cisco	model:	unified contact center management portal	scope:	lte	version:	11.6.1	Trust: 1.0
vendor:	cisco	model:	unified contact center express	scope:	eq	version:	12.0.1	Trust: 1.0
vendor:	cisco	model:	unified contact center express	scope:	eq	version:	12.5.1	Trust: 1.0
vendor:	シスコシステムズ	model:	cisco unified contact center management portal	scope:	-	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco unified contact center express	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2022-003017 // NVD: CVE-2022-20658

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-20658
value:	CRITICAL
Trust: 1.0
ykramarz@cisco.com:	CVE-2022-20658
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2022-20658
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-202201-1012
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-405211
value:	HIGH
Trust: 0.1
VULMON:	CVE-2022-20658
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2022-20658
severity:	HIGH
baseScore:	8.5
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	9.2
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-405211
severity:	HIGH
baseScore:	8.5
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	9.2
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2022-20658
baseSeverity:	CRITICAL
baseScore:	9.6
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	3.1
impactScore:	5.8
version:	3.1
Trust: 2.0
NVD:	CVE-2022-20658
baseSeverity:	CRITICAL
baseScore:	9.6
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-405211 // VULMON: CVE-2022-20658 // JVNDB: JVNDB-2022-003017 // CNNVD: CNNVD-202201-1012 // NVD: CVE-2022-20658 // NVD: CVE-2022-20658

PROBLEMTYPE DATA

problemtype:	CWE-669	Trust: 1.1
problemtype:	CWE-602	Trust: 1.0
problemtype:	Incorrect resource movement between regions (CWE-669) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-405211 // JVNDB: JVNDB-2022-003017 // NVD: CVE-2022-20658

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202201-1012

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202201-1012

PATCH

title:	cisco-sa-ccmp-priv-esc-JzhTFLm4	url:	https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ccmp-priv-esc-JzhTFLm4	Trust: 0.8
title:	Cisco Unified Contact Center Management Portal and Cisco Unified Contact Center Domain Manager Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=177800	Trust: 0.6
title:	Cisco: Cisco Unified Contact Center Management Portal and Unified Contact Center Domain Manager Privilege Escalation Vulnerability	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-ccmp-priv-esc-JzhTFLm4	Trust: 0.1
title:	CVE-2022-XXXX	url:	https://github.com/AlphabugX/CVE-2022-23305	Trust: 0.1
title:	CVE-2022-XXXX	url:	https://github.com/AlphabugX/CVE-2022-RCE	Trust: 0.1

sources: VULMON: CVE-2022-20658 // JVNDB: JVNDB-2022-003017 // CNNVD: CNNVD-202201-1012

EXTERNAL IDS

db:	NVD	id:	CVE-2022-20658	Trust: 3.4
db:	JVNDB	id:	JVNDB-2022-003017	Trust: 0.8
db:	CNNVD	id:	CNNVD-202201-1012	Trust: 0.7
db:	CS-HELP	id:	SB2022012421	Trust: 0.6
db:	VULHUB	id:	VHN-405211	Trust: 0.1
db:	VULMON	id:	CVE-2022-20658	Trust: 0.1

sources: VULHUB: VHN-405211 // VULMON: CVE-2022-20658 // JVNDB: JVNDB-2022-003017 // CNNVD: CNNVD-202201-1012 // NVD: CVE-2022-20658

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-ccmp-priv-esc-jzhtflm4	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2022-20658	Trust: 1.4
url:	https://www.cybersecurity-help.cz/vdb/sb2022012421	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/669.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/alphabugx/cve-2022-23305	Trust: 0.1

sources: VULHUB: VHN-405211 // VULMON: CVE-2022-20658 // JVNDB: JVNDB-2022-003017 // CNNVD: CNNVD-202201-1012 // NVD: CVE-2022-20658

SOURCES

db:	VULHUB	id:	VHN-405211
db:	VULMON	id:	CVE-2022-20658
db:	JVNDB	id:	JVNDB-2022-003017
db:	CNNVD	id:	CNNVD-202201-1012
db:	NVD	id:	CVE-2022-20658

LAST UPDATE DATE

2024-08-14T14:50:00.254000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-405211	date:	2022-01-14T00:00:00
db:	VULMON	id:	CVE-2022-20658	date:	2023-11-07T00:00:00
db:	JVNDB	id:	JVNDB-2022-003017	date:	2023-02-03T01:55:00
db:	CNNVD	id:	CNNVD-202201-1012	date:	2022-02-28T00:00:00
db:	NVD	id:	CVE-2022-20658	date:	2023-11-07T03:42:32.603

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-405211	date:	2022-01-14T00:00:00
db:	VULMON	id:	CVE-2022-20658	date:	2022-01-14T00:00:00
db:	JVNDB	id:	JVNDB-2022-003017	date:	2023-02-03T00:00:00
db:	CNNVD	id:	CNNVD-202201-1012	date:	2022-01-12T00:00:00
db:	NVD	id:	CVE-2022-20658	date:	2022-01-14T05:15:11.003