Lucene search

[email protected]NVD:CVE-2021-34773

HistoryNov 04, 2021 - 4:15 p.m.

CVE-2021-34773

2021-11-0416:15:08

CWE-352

[email protected]

web.nvd.nist.gov

csrf vulnerability

remote attackers

cisco unified communications manager

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

32.2%

JSON

A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected device. This vulnerability is due to insufficient CSRF protections for the web-based management interface on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the targeted user. These actions could include modifying the device configuration and deleting (but not creating) user accounts.

Affected configurations

Nvd

Node

ciscounified_communications_managerMatch-session_management

ciscounified_communications_managerMatch14.0\(1.10000.20\)

ciscounified_communications_manager_im_and_presence_serviceMatch10.5\(2\)

ciscounified_communications_manager_im_and_presence_serviceMatch11.5\(1\)

ciscounified_communications_manager_im_and_presence_serviceMatch12.5

ciscounified_communications_manager_im_and_presence_serviceMatch14.0

VendorProductVersionCPE
ciscounified_communications_manager-cpe:2.3:a:cisco:unified_communications_manager:-:*:*:*:session_management:*:*:*
ciscounified_communications_manager14.0(1.10000.20)cpe:2.3:a:cisco:unified_communications_manager:14.0\(1.10000.20\):*:*:*:*:*:*:*
ciscounified_communications_manager_im_and_presence_service10.5(2)cpe:2.3:a:cisco:unified_communications_manager_im_and_presence_service:10.5\(2\):*:*:*:*:*:*:*
ciscounified_communications_manager_im_and_presence_service11.5(1)cpe:2.3:a:cisco:unified_communications_manager_im_and_presence_service:11.5\(1\):*:*:*:*:*:*:*
ciscounified_communications_manager_im_and_presence_service12.5cpe:2.3:a:cisco:unified_communications_manager_im_and_presence_service:12.5:*:*:*:*:*:*:*
ciscounified_communications_manager_im_and_presence_service14.0cpe:2.3:a:cisco:unified_communications_manager_im_and_presence_service:14.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cisco	unified_communications_manager	-	cpe:2.3:a:cisco:unified_communications_manager:-::::session_management:::
cisco	unified_communications_manager	14.0(1.10000.20)	cpe:2.3:a:cisco:unified_communications_manager:14.0\(1.10000.20\):::::::*
cisco	unified_communications_manager_im_and_presence_service	10.5(2)	cpe:2.3:a:cisco:unified_communications_manager_im_and_presence_service:10.5\(2\):::::::*
cisco	unified_communications_manager_im_and_presence_service	11.5(1)	cpe:2.3:a:cisco:unified_communications_manager_im_and_presence_service:11.5\(1\):::::::*
cisco	unified_communications_manager_im_and_presence_service	12.5	cpe:2.3:a:cisco:unified_communications_manager_im_and_presence_service:12.5:::::::*
cisco	unified_communications_manager_im_and_presence_service	14.0	cpe:2.3:a:cisco:unified_communications_manager_im_and_presence_service:14.0:::::::*

References

tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucm-csrf-xrTkDu3H

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

32.2%

JSON

Related for NVD:CVE-2021-34773

cvelist1 prion1 cnvd1 cve1 cisco1