Lucene search

CiscoCVE-2019-1888

HistorySep 23, 2020 - 1:15 a.m.

CVE-2019-1888

2020-09-2301:15:14

CWE-434

cisco

web.nvd.nist.gov

cve-2019-1888

cisco

unified contact center express

vulnerability

remote code execution

admin web interface

nvd

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

7.4

Confidence

High

EPSS

0.021

Percentile

89.4%

JSON

A vulnerability in the Administration Web Interface of Cisco Unified Contact Center Express (Unified CCX) could allow an authenticated, remote attacker to upload arbitrary files and execute commands on the underlying operating system. To exploit this vulnerability, an attacker needs valid Administrator credentials. The vulnerability is due to insufficient restrictions for the content uploaded to an affected system. An attacker could exploit this vulnerability by uploading arbitrary files containing operating system commands that will be executed by an affected system. A successful exploit could allow the attacker to execute arbitrary commands with the privileges of the web interface and then elevate their privileges to root.

Affected configurations

Nvd

Node

ciscounified_contact_center_expressMatch11.6\(1\)

ciscounified_contact_center_expressMatch11.6\(2\)

ciscounified_contact_center_expressMatch12.0\(1\)

ciscounified_ip_interactive_voice_responseMatch11.6\(1\)

ciscounified_ip_interactive_voice_responseMatch11.6\(2\)

VendorProductVersionCPE
ciscounified_contact_center_express11.6(1)cpe:2.3:a:cisco:unified_contact_center_express:11.6\(1\):*:*:*:*:*:*:*
ciscounified_contact_center_express11.6(2)cpe:2.3:a:cisco:unified_contact_center_express:11.6\(2\):*:*:*:*:*:*:*
ciscounified_contact_center_express12.0(1)cpe:2.3:a:cisco:unified_contact_center_express:12.0\(1\):*:*:*:*:*:*:*
ciscounified_ip_interactive_voice_response11.6(1)cpe:2.3:a:cisco:unified_ip_interactive_voice_response:11.6\(1\):*:*:*:*:*:*:*
ciscounified_ip_interactive_voice_response11.6(2)cpe:2.3:a:cisco:unified_ip_interactive_voice_response:11.6\(2\):*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cisco	unified_contact_center_express	11.6(1)	cpe:2.3:a:cisco:unified_contact_center_express:11.6\(1\):::::::*
cisco	unified_contact_center_express	11.6(2)	cpe:2.3:a:cisco:unified_contact_center_express:11.6\(2\):::::::*
cisco	unified_contact_center_express	12.0(1)	cpe:2.3:a:cisco:unified_contact_center_express:12.0\(1\):::::::*
cisco	unified_ip_interactive_voice_response	11.6(1)	cpe:2.3:a:cisco:unified_ip_interactive_voice_response:11.6\(1\):::::::*
cisco	unified_ip_interactive_voice_response	11.6(2)	cpe:2.3:a:cisco:unified_ip_interactive_voice_response:11.6\(2\):::::::*

CNA Affected

[
  {
    "product": "Cisco Unified Contact Center Express",
    "vendor": "Cisco",
    "versions": [
      {
        "status": "affected",
        "version": "n/a"
      }
    ]
  }
]

References

tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-uccx-privesc-Zd7bvwyf

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

7.4

Confidence

High

EPSS

0.021

Percentile

89.4%

JSON

Related for CVE-2019-1888