This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Cisco First view 2007-07-15
Product Unified Communications Manager Last view 2020-02-19
Version - Type Application
Update *  
Edition *  
Language *  
Sofware Edition session_management  
Target Software *  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:a:cisco:unified_communications_manager

Activity : Overall

Related : CVE

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
  Date Alert Description
6.1 2020-02-19 CVE-2015-0749

A vulnerability in Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on the affected software. The vulnerabilities is due to improper input validation of certain parameters passed to the affected software. An attacker could exploit this vulnerability by convincing a user to follow a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected site or allow the attacker to access sensitive browser-based information.

7.5 2018-06-07 CVE-2017-6779

Multiple Cisco products are affected by a vulnerability in local file management for certain system log files of Cisco collaboration products that could allow an unauthenticated, remote attacker to cause high disk utilization, resulting in a denial of service (DoS) condition. The vulnerability occurs because a certain system log file does not have a maximum size restriction. Therefore, the file is allowed to consume the majority of available disk space on the appliance. An attacker could exploit this vulnerability by sending crafted remote connection requests to the appliance. Successful exploitation could allow the attacker to increase the size of a system log file so that it consumes most of the disk space. The lack of available disk space could lead to a DoS condition in which the application functions could operate abnormally, making the appliance unstable. This vulnerability affects the following Cisco Voice Operating System (VOS)-based products: Emergency Responder, Finesse, Hosted Collaboration Mediation Fulfillment, MediaSense, Prime License Manager, SocialMiner, Unified Communications Manager (UCM), Unified Communications Manager IM and Presence Service (IM&P - earlier releases were known as Cisco Unified Presence), Unified Communication Manager Session Management Edition (SME), Unified Contact Center Express (UCCx), Unified Intelligence Center (UIC), Unity Connection, Virtualized Voice Browser. This vulnerability also affects Prime Collaboration Assurance and Prime Collaboration Provisioning. Cisco Bug IDs: CSCvd10872, CSCvf64322, CSCvf64332, CSCvi29538, CSCvi29543, CSCvi29544, CSCvi29546, CSCvi29556, CSCvi29571, CSCvi31738, CSCvi31741, CSCvi31762, CSCvi31807, CSCvi31818, CSCvi31823.

9.8 2017-11-16 CVE-2017-12337

A vulnerability in the upgrade mechanism of Cisco collaboration products based on the Cisco Voice Operating System software platform could allow an unauthenticated, remote attacker to gain unauthorized, elevated access to an affected device. The vulnerability occurs when a refresh upgrade (RU) or Prime Collaboration Deployment (PCD) migration is performed on an affected device. When a refresh upgrade or PCD migration is completed successfully, an engineering flag remains enabled and could allow root access to the device with a known password. If the vulnerable device is subsequently upgraded using the standard upgrade method to an Engineering Special Release, service update, or a new major release of the affected product, this vulnerability is remediated by that action. Note: Engineering Special Releases that are installed as COP files, as opposed to the standard upgrade method, do not remediate this vulnerability. An attacker who can access an affected device over SFTP while it is in a vulnerable state could gain root access to the device. This access could allow the attacker to compromise the affected system completely. Cisco Bug IDs: CSCvg22923, CSCvg55112, CSCvg55128, CSCvg55145, CSCvg58619, CSCvg64453, CSCvg64456, CSCvg64464, CSCvg64475, CSCvg68797.

4.3 2014-11-13 CVE-2014-7991

The Remote Mobile Access Subsystem in Cisco Unified Communications Manager (CM) 10.0(1) and earlier does not properly validate the Subject Alternative Name (SAN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof VCS core devices via a crafted certificate issued by a legitimate Certification Authority, aka Bug ID CSCuq86376.

4 2014-08-11 CVE-2014-3332

Cisco Unified Communications Manager (CM) 8.6(.2) and earlier has an incorrect CLI restrictions setting, which allows remote authenticated users to establish undetected concurrent logins via unspecified vectors, aka Bug ID CSCup98029.

6.8 2014-02-26 CVE-2014-0747

The Certificate Authority Proxy Function (CAPF) CLI implementation in Cisco Unified Communications Manager (Unified CM) 10.0(1) and earlier allows local users to inject commands via unspecified CAPF programs, aka Bug ID CSCum95493.

5 2014-02-26 CVE-2014-0743

The Certificate Authority Proxy Function (CAPF) component in Cisco Unified Communications Manager (Unified CM) 10.0(1) and earlier allows remote attackers to bypass authentication and modify registered-device information via crafted data, aka Bug ID CSCum95468.

6.2 2014-02-26 CVE-2014-0742

The Certificate Authority Proxy Function (CAPF) CLI implementation in the CSR management feature in Cisco Unified Communications Manager (Unified CM) 10.0(1) and earlier allows local users to read or modify arbitrary files via unspecified vectors, aka Bug ID CSCum95464.

6.2 2014-02-26 CVE-2014-0741

The certificate-import feature in the Certificate Authority Proxy Function (CAPF) CLI implementation in Cisco Unified Communications Manager (Unified CM) 10.0(1) and earlier allows local users to read or modify arbitrary files via a crafted command, aka Bug ID CSCum95461.

6.8 2014-02-26 CVE-2014-0740

Cross-site request forgery (CSRF) vulnerability in the Call Detail Records Analysis and Reporting (CAR) interface in the OS Administration component in Cisco Unified Communications Manager (Unified CM) 10.0(1) and earlier allows remote attackers to hijack the authentication of administrators for requests that make administrative changes, aka Bug ID CSCun00701.

5 2014-02-22 CVE-2014-0731

The administration interface in Cisco Unified Communications Manager (Unified CM) 10.0(1) and earlier allows remote attackers to bypass authentication and read Java class files via a direct request, aka Bug ID CSCum46497.

6.8 2014-02-20 CVE-2014-0736

Cross-site request forgery (CSRF) vulnerability in the Call Detail Records Analysis and Reporting (CAR) page in Cisco Unified Communications Manager (Unified CM) 10.0(1) and earlier allows remote attackers to hijack the authentication of arbitrary users for requests that make CAR modifications, aka Bug ID CSCum46468.

4.3 2014-02-20 CVE-2014-0735

Cross-site scripting (XSS) vulnerability in the IP Manager Assistant (IPMA) interface in Cisco Unified Communications Manager (Unified CM) 10.0(1) and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCum46470.

7.5 2014-02-20 CVE-2014-0734

SQL injection vulnerability in the Certificate Authority Proxy Function (CAPF) implementation in Cisco Unified Communications Manager (Unified CM) 10.0(1) and earlier allows remote attackers to execute arbitrary SQL commands via a crafted URL, aka Bug ID CSCum46483.

5 2014-02-20 CVE-2014-0733

The Enterprise License Manager (ELM) component in Cisco Unified Communications Manager (Unified CM) 10.0(1) and earlier does not properly enforce authentication requirements, which allows remote attackers to read ELM files via a direct request to a URL, aka Bug ID CSCum46494.

5 2014-02-20 CVE-2014-0732

The Real Time Monitoring Tool (RTMT) web application in Cisco Unified Communications Manager (Unified CM) 10.0(1) and earlier does not properly enforce authentication requirements, which allows remote attackers to read application files via a direct request to a URL, aka Bug ID CSCum46495.

7.5 2014-02-13 CVE-2014-0728

SQL injection vulnerability in the Java database interface in Cisco Unified Communications Manager (UCM) 10.0(1) and earlier allows remote attackers to execute arbitrary SQL commands via a crafted URL, aka Bug ID CSCum05313.

7.5 2014-02-13 CVE-2014-0726

SQL injection vulnerability in the IP Manager Assistant (IPMA) interface in Cisco Unified Communications Manager (UCM) 10.0(1) and earlier allows remote attackers to execute arbitrary SQL commands via a crafted URL, aka Bug ID CSCum05326.

4 2014-02-13 CVE-2014-0724

The bulk administration interface in Cisco Unified Communications Manager (UCM) 10.0(1) and earlier allows remote attackers to bypass authentication and read arbitrary files by using an unspecified prompt, aka Bug ID CSCum05340.

6 2014-02-04 CVE-2014-0686

Cisco Unified Communications Manager (aka Unified CM) 9.1 (2.10000.28) and earlier allows local users to gain privileges by leveraging incorrect file permissions, aka Bug IDs CSCul24917 and CSCul24908.

4 2014-01-08 CVE-2014-0657

The administration portal in Cisco Unified Communications Manager (Unified CM) 9.1(1) and earlier does not properly handle role restrictions, which allows remote authenticated users to bypass role-based access control via multiple visits to a forbidden portal URL, aka Bug ID CSCuj83540.

4 2013-12-21 CVE-2013-6978

The disaster recovery system (DRS) component in Cisco Unified Communications Manager (UCM) 9.1(1) and earlier allows remote authenticated users to obtain sensitive device information by reading "extraneous information" in HTML source code, aka Bug ID CSCuj39249.

6.9 2013-11-17 CVE-2013-6689

Cisco Unified Communications Manager (Unified CM) 9.1(1) and earlier allows local users to bypass file permissions, and read, modify, or create arbitrary files, via an "overload" of the command-line utility, aka Bug ID CSCui58229.

6.3 2013-11-17 CVE-2013-6688

Directory traversal vulnerability in the license-upload interface in the Enterprise License Manager (ELM) component in Cisco Unified Communications Manager 9.1(1) and earlier allows remote authenticated users to create arbitrary files via a crafted path, aka Bug ID CSCui58222.

7.8 2013-08-22 CVE-2013-3453

Memory leak in Cisco Unified Communications Manager IM and Presence Service before 8.6(5)SU1 and 9.x before 9.1(2), and Cisco Unified Presence, allows remote attackers to cause a denial of service (memory and CPU consumption) by making many TCP connections to port (1) 5060 or (2) 5061, aka Bug ID CSCud84959.

CWE : Common Weakness Enumeration

%idName
22% (7) CWE-20 Improper Input Validation
12% (4) CWE-287 Improper Authentication
12% (4) CWE-264 Permissions, Privileges, and Access Controls
9% (3) CWE-399 Resource Management Errors
9% (3) CWE-89 Improper Sanitization of Special Elements used in an SQL Command ('...
6% (2) CWE-352 Cross-Site Request Forgery (CSRF)
6% (2) CWE-310 Cryptographic Issues
6% (2) CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
3% (1) CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
3% (1) CWE-200 Information Exposure
3% (1) CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer
3% (1) CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path ...

Open Source Vulnerability Database (OSVDB)

id Description
67565 Cisco Unified Communications Manager SIPStationInit Malformed SIP Message Rem...
67564 Cisco Unified Communications Manager SendCombinedStatusInfo Malformed SIP REG...
57452 Cisco Unified Communications Manager Unspecified SIP Packet Handling Remote DoS
46815 Cisco Unified Communications Manager (CUCM) RIS Data Collector Authentication...
46814 Cisco Unified Communications Manager (CUCM) Computer Telephony Integration (C...
45208 Cisco Unified Communications Manager Certificate Trust List (CTL) Provider Se...
45204 Cisco Unified Communications Manager SIP INVITE Handling Remote DoS (CSCsk46944)
45203 Cisco Unified Communications Manager SIP INVITE Handling Remote DoS (CSCsl22355)
37941 Cisco Unified Communications Manager (CUCM) SIP INVITE Message Saturation Rem...
37940 Cisco Unified Communications Manager (CUCM) Centralized TFTP File Locator Ser...
36122 Cisco Unified Communications Manager (CUCM) Certificate Trust List (CTL) Prov...
36121 Cisco Unified Communications Manager (CUCM) Real-Time Information Server (RIS...

Information Assurance Vulnerability Management (IAVM)

id Description
2013-B-0094 Cisco Unified Communications Manager IM and Presence Service Remote Denial of...
Severity: Category I - VMSKEY: V0040164

Nessus® Vulnerability Scanner

id Description
2017-11-17 Name: The remote device is missing a vendor-supplied security patch.
File: cisco-sa-20171115-vos-unified_communications_manager.nasl - Type: ACT_GATHER_INFO
2017-11-17 Name: The remote device is missing a vendor-supplied security patch.
File: cisco-sa-20171115-vos-unified_presence.nasl - Type: ACT_GATHER_INFO
2017-11-17 Name: The remote device is missing a vendor-supplied security patch.
File: cisco-sa-20171115-vos-unity_connection.nasl - Type: ACT_GATHER_INFO
2014-12-29 Name: The remote device is affected by a security bypass vulnerability.
File: cisco_cucm_CSCuq86376.nasl - Type: ACT_GATHER_INFO
2013-09-03 Name: The remote host is missing a vendor-supplied security patch.
File: cisco-sa-20130821-cups.nasl - Type: ACT_GATHER_INFO