ID

VAR-202201-1522


CVE

CVE-2022-20658


TITLE

Cisco Unified Contact Center Management Portal  and  Cisco Unified Contact Center Domain Manager  Vulnerability related to incorrect resource movement between regions in

Trust: 0.8

sources: JVNDB: JVNDB-2022-003017

DESCRIPTION

A vulnerability in the web-based management interface of Cisco Unified Contact Center Management Portal (Unified CCMP) and Cisco Unified Contact Center Domain Manager (Unified CCDM) could allow an authenticated, remote attacker to elevate their privileges to Administrator. This vulnerability is due to the lack of server-side validation of user permissions. An attacker could exploit this vulnerability by submitting a crafted HTTP request to a vulnerable system. A successful exploit could allow the attacker to create Administrator accounts. With these accounts, the attacker could access and modify telephony and user resources across all the Unified platforms that are associated to the vulnerable Cisco Unified CCMP. To successfully exploit this vulnerability, an attacker would need valid Advanced User credentials

Trust: 1.8

sources: NVD: CVE-2022-20658 // JVNDB: JVNDB-2022-003017 // VULHUB: VHN-405211 // VULMON: CVE-2022-20658

AFFECTED PRODUCTS

vendor:ciscomodel:unified contact center management portalscope:lteversion:11.6.1

Trust: 1.0

vendor:ciscomodel:unified contact center expressscope:eqversion:12.5.1

Trust: 1.0

vendor:ciscomodel:unified contact center expressscope:eqversion:12.0.1

Trust: 1.0

vendor:シスコシステムズmodel:cisco unified contact center management portalscope: - version: -

Trust: 0.8

vendor:シスコシステムズmodel:cisco unified contact center expressscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2022-003017 // NVD: CVE-2022-20658

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-20658
value: CRITICAL

Trust: 1.0

ykramarz@cisco.com: CVE-2022-20658
value: CRITICAL

Trust: 1.0

NVD: CVE-2022-20658
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-202201-1012
value: CRITICAL

Trust: 0.6

VULHUB: VHN-405211
value: HIGH

Trust: 0.1

VULMON: CVE-2022-20658
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2022-20658
severity: HIGH
baseScore: 8.5
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 9.2
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-405211
severity: HIGH
baseScore: 8.5
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 9.2
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2022-20658
baseSeverity: CRITICAL
baseScore: 9.6
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 3.1
impactScore: 5.8
version: 3.1

Trust: 2.0

NVD: CVE-2022-20658
baseSeverity: CRITICAL
baseScore: 9.6
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-405211 // VULMON: CVE-2022-20658 // JVNDB: JVNDB-2022-003017 // CNNVD: CNNVD-202201-1012 // NVD: CVE-2022-20658 // NVD: CVE-2022-20658

PROBLEMTYPE DATA

problemtype:CWE-669

Trust: 1.1

problemtype:CWE-602

Trust: 1.0

problemtype:Incorrect resource movement between regions (CWE-669) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-405211 // JVNDB: JVNDB-2022-003017 // NVD: CVE-2022-20658

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202201-1012

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202201-1012

PATCH

title:cisco-sa-ccmp-priv-esc-JzhTFLm4url:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ccmp-priv-esc-JzhTFLm4

Trust: 0.8

title:Cisco Unified Contact Center Management Portal and Cisco Unified Contact Center Domain Manager Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=177800

Trust: 0.6

title:Cisco: Cisco Unified Contact Center Management Portal and Unified Contact Center Domain Manager Privilege Escalation Vulnerabilityurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-ccmp-priv-esc-JzhTFLm4

Trust: 0.1

title:CVE-2022-XXXXurl:https://github.com/AlphabugX/CVE-2022-23305

Trust: 0.1

title:CVE-2022-XXXXurl:https://github.com/AlphabugX/CVE-2022-RCE

Trust: 0.1

sources: VULMON: CVE-2022-20658 // JVNDB: JVNDB-2022-003017 // CNNVD: CNNVD-202201-1012

EXTERNAL IDS

db:NVDid:CVE-2022-20658

Trust: 3.4

db:JVNDBid:JVNDB-2022-003017

Trust: 0.8

db:CNNVDid:CNNVD-202201-1012

Trust: 0.7

db:CS-HELPid:SB2022012421

Trust: 0.6

db:VULHUBid:VHN-405211

Trust: 0.1

db:VULMONid:CVE-2022-20658

Trust: 0.1

sources: VULHUB: VHN-405211 // VULMON: CVE-2022-20658 // JVNDB: JVNDB-2022-003017 // CNNVD: CNNVD-202201-1012 // NVD: CVE-2022-20658

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-ccmp-priv-esc-jzhtflm4

Trust: 2.5

url:https://nvd.nist.gov/vuln/detail/cve-2022-20658

Trust: 1.4

url:https://www.cybersecurity-help.cz/vdb/sb2022012421

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/669.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://github.com/alphabugx/cve-2022-23305

Trust: 0.1

sources: VULHUB: VHN-405211 // VULMON: CVE-2022-20658 // JVNDB: JVNDB-2022-003017 // CNNVD: CNNVD-202201-1012 // NVD: CVE-2022-20658

SOURCES

db:VULHUBid:VHN-405211
db:VULMONid:CVE-2022-20658
db:JVNDBid:JVNDB-2022-003017
db:CNNVDid:CNNVD-202201-1012
db:NVDid:CVE-2022-20658

LAST UPDATE DATE

2024-11-23T22:32:57.418000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-405211date:2022-01-14T00:00:00
db:VULMONid:CVE-2022-20658date:2023-11-07T00:00:00
db:JVNDBid:JVNDB-2022-003017date:2023-02-03T01:55:00
db:CNNVDid:CNNVD-202201-1012date:2022-02-28T00:00:00
db:NVDid:CVE-2022-20658date:2024-11-21T06:43:15.440

SOURCES RELEASE DATE

db:VULHUBid:VHN-405211date:2022-01-14T00:00:00
db:VULMONid:CVE-2022-20658date:2022-01-14T00:00:00
db:JVNDBid:JVNDB-2022-003017date:2023-02-03T00:00:00
db:CNNVDid:CNNVD-202201-1012date:2022-01-12T00:00:00
db:NVDid:CVE-2022-20658date:2022-01-14T05:15:11.003