Search...

Cisco Unity Connection Cross-Site Scripting Vulnerability

2014-04-01T18:55:42

ID CISCO-SA-20140401-CVE-2014-2125
Type cisco
Reporter Cisco
Modified 2014-04-01T18:55:36

Description

A vulnerability in Cisco Unity Connection Web Inbox could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack.

The vulnerability is due to insufficient input validation of a parameter. An attacker could exploit this vulnerability by persuading a user to access a malicious link.

Cisco has confirmed the vulnerability in a security notice and released software updates.

To exploit the vulnerability, the attacker may provide a link that directs a user to a malicious site and use misleading language or instructions to persuade the user to follow the provided link.

Cisco indicates through the CVSS score that proof-of-concept exploit code exists; however, the code is not known to be publicly available.

JSON Vulners Source

Initial Source

{"id": "CISCO-SA-20140401-CVE-2014-2125", "hash": "e7a05241517560052887540e16e9b332", "type": "cisco", "bulletinFamily": "software", "title": "Cisco Unity Connection Cross-Site Scripting Vulnerability", "description": "A vulnerability in Cisco Unity Connection Web Inbox could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack.\n\nThe vulnerability is due to insufficient input validation of a parameter. An attacker could exploit this vulnerability by persuading a user to access a malicious link.\n\nCisco has confirmed the vulnerability in a security notice and released software updates.\n\nTo exploit the vulnerability, the attacker may provide a link that directs a user to a malicious site and use misleading language or instructions to persuade the user to follow the provided link.\n\nCisco indicates through the CVSS score that proof-of-concept exploit code exists; however, the code is not known to be publicly available.", "published": "2014-04-01T18:55:42", "modified": "2014-04-01T18:55:36", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/Cisco-SA-20140401-CVE-2014-2125", "reporter": "Cisco", "references": ["http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/Cisco-SA-20140401-CVE-2014-2125"], "cvelist": ["CVE-2014-2125"], "lastseen": "2017-09-26T15:33:56", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}, "vulnersScore": 4.3}, "objectVersion": "1.4", "affectedSoftware": [{"version": "any", "operator": "eq", "name": "Cisco Unity Connection"}], "_object_type": "robots.models.cisco.CiscoBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.cisco.CiscoBulletin"]}

{"cve": [{"lastseen": "2016-09-03T20:10:43", "references": ["http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-2125", "http://www.securitytracker.com/id/1029988", "http://tools.cisco.com/security/center/viewAlert.x?alertId=33603"], "edition": 1, "description": "Cross-site scripting (XSS) vulnerability in the Web Inbox in Cisco Unity Connection 8.6(2a)SU3 and earlier allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCui33028.", "reporter": "NVD", "published": "2014-04-01T23:58:17", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "title": "CVE-2014-2125", "type": "cve", "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2014-2125"], "scanner": [], "modified": "2015-09-16T15:18:10", "cpe": ["cpe:/a:cisco:unity_connection:8.6", "cpe:/a:cisco:unity_connection:8.6:%282a%29su3", "cpe:/a:cisco:unity_connection:8.6:%282a%29su1", "cpe:/a:cisco:unity_connection:8.6:%282%29", "cpe:/a:cisco:unity_connection:8.6:%281%29", "cpe:/a:cisco:unity_connection:8.6%282a%29", "cpe:/a:cisco:unity_connection:8.6%281a%29", "cpe:/a:cisco:unity_connection:8.6:%282a%29su2"], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2125", "id": "CVE-2014-2125", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "seebug": [{"lastseen": "2017-11-19T17:28:23", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "enchantments_done": [], "references": [], "description": "CVE ID:CVE-2014-2125\r\n\r\nCisco Unity Connection\u662f\u8fd0\u884c\u5728Linux-based Cisco Unified Communications\u64cd\u4f5c\u7cfb\u7edf\u4e0a\u7684\u529f\u80fd\u5f3a\u5927\u7684\u8bed\u97f3\u6d88\u606f\u901a\u8baf\u5e73\u53f0\u3002\r\n\r\n\u7531\u4e8e\u67d0\u4e9b\u5173\u4e8e\u7f51\u9875\u6536\u4ef6\u7bb1\u7684\u8f93\u5165\u5728\u8fd4\u56de\u7528\u6237\u524d\u6ca1\u6709\u6b63\u786e\u8fc7\u6ee4\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6f0f\u6d1e\u5728\u53d7\u5f71\u54cd\u7ad9\u70b9\u4e0a\u4e0b\u6587\u7684\u7528\u6237\u6d4f\u89c8\u5668\u4f1a\u8bdd\u4e2d\u6267\u884c\u4efb\u610fHTML \u548c\u811a\u672c\u4ee3\u7801\u3002\n0\nCisco Unity Connection 8.x\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8bf7\u4e0b\u8f7d\u4f7f\u7528\uff1a\r\nhttp://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-2125", "reporter": "Root", "published": "2014-04-02T00:00:00", "title": "Cisco Unity Connection Web Inbox\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e", "type": "seebug", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-2125"], "_object_type": "robots.models.seebug.SeebugBulletin", "modified": "2014-04-02T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-62039", "id": "SSV:62039", "sourceData": "", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "", "status": "details"}]}