Executive Summary

Summary
Title Cisco Unified Customer Voice Portal Operations Console Privilege Escalation Vulnerability
Informations
Name cisco-sa-20170920-cvp First vendor Publication 2017-09-20
Vendor Cisco Last vendor Modification 2017-09-20
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:S/C:P/I:P/A:P)
Cvss Base Score 6.5 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 8 Authentication Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

A vulnerability in the Operations, Administration, Maintenance, and Provisioning (OAMP) credential reset functionality for Cisco Unified Customer Voice Portal (CVP) could allow an authenticated, remote attacker to gain elevated privileges.

The vulnerability is due to a lack of proper input validation. An attacker could exploit this vulnerability by authenticating to the OAMP and sending a crafted HTTP request. A successful exploit could allow the attacker to gain administrator privileges. The attacker must successfully authenticate to the system to exploit this vulnerability.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170920-cvp ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170920-cvp"]

BEGIN PGP SIGNATURE

iQKBBAEBAgBrBQJZwpDGZBxDaXNjbyBTeXN0ZW1zIFByb2R1Y3QgU2VjdXJpdHkg SW5jaWRlbnQgUmVzcG9uc2UgVGVhbSAoQ2lzY28gUFNJUlQga2V5IDIwMTYtMjAx NykgPHBzaXJ0QGNpc2NvLmNvbT4ACgkQrz2APcQAkHlTig/9F41HKN3maY/Z8aDc oBGGfyxvULI7FwTVhgYEdx3Oq0ExZi3Tx1YEMzT/0uXkV/QNOsyBQXYe6w/PGCwi PDfyB8l0c7mvdpLHd9l5T8VvcnXtuX7UUvttL6UbWbYPlkheot+BG9XJnV791G54 4sRbEv8yUN8sR+JrChEcXKSW1nEzb1DyqNpl9GfHYt+vGrHJDqe0lGxFLPRJJ+tA A/PHOI1OtVtG1eyJXih4Xp9RcffOSv3+BXlvZV9uD1uBlFIR1SGwPOr2zOQndkc1 T7nz0ryfKWQP0zJeDtldJaGs52J0O6z4DmjaLRN0Dn/2fCD4FdFZ0GyaWO4cVPJc QOsBFgoAIk6n1dQxPWr9rvT/4u+S4CPUKJCL+vC5jPYK5qcnSTAXRnGPz8SdUinW mXUi1Id1u/MmM8YsnA0SFzjwvutg3RTYg6ky/jD1lP64oeIAiSn7exHE4+Ok10vx UZMiRH/8zoOFiNFCSd40w+u9UkLgLObV7KWDMAwF0SPeRJHJQ35x9Q+jVLDlduaX uPQjkvvN/DwRCecl/jKrJ1FOLC/uaZISmB/+C3igfF2pvg5BQHts6wqmkyrS0Xm3 O1nt+kIerxaKPqpVagP07WemqBvpm1INplu7rL3lLGhVdcCRDUIGyxTxEdPwDt+/ OKWlajeyR5VqG+htsdZDIKvHsgM= =SU9S END PGP SIGNATURE

_______________________________________________ cust-security-announce mailing list cust-security-announce@cisco.com To unsubscribe, send the command "unsubscribe" in the subject of your message to cust-security-announce-leave@cisco.com

Original Source

Url : http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco (...)

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-20 Improper Input Validation

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 3

Snort® IPS/IDS

Date Description
2017-09-21 Cisco Customer Voice Portal MyAccountEditAction.do privilege escalation attempt
RuleID : 44417 - Revision : 1 - Type : SERVER-WEBAPP

Alert History

If you want to see full details history, please login or register.
0
1
Date Informations
2017-10-03 21:25:38
  • Multiple Updates
2017-09-21 17:22:19
  • First insertion