Details of VAR-201508-0506

ID

VAR-201508-0506

CVE

CVE-2015-4298

TITLE

Cisco Unified Web and E-mail Interaction Manager Vulnerable to reading stored data

Trust: 0.8

sources: JVNDB: JVNDB-2015-004355

DESCRIPTION

Cisco Unified Web and E-Mail Interaction Manager 9.0(2) and 11.0(1) improperly performs authorization, which allows remote authenticated users to read or write to stored data via unspecified vectors, aka Bug ID CSCuo89056. Vendors have confirmed this vulnerability Bug ID CSCuo89056 It is released as. Supplementary information : CWE Vulnerability type by CWE-284: Improper Access Control ( Inappropriate access control ) Has been identified. http://cwe.mitre.org/data/definitions/284.htmlThe stored data may be read or written by a remotely authenticated user. Attackers can exploit this issue to gain unauthorized access and obtain sensitive information. This may aid in further attacks. Web Interaction Manager is a product that can help call center business representatives use websites and text chats or real-time Web collaboration to answer customer questions; E-mail Interaction Manager is a product used to manage a large number of customer emails submitted to corporate mailboxes or websites. A remote attacker could exploit this vulnerability to view, modify, or delete data stored on the device

Trust: 1.98

sources: NVD: CVE-2015-4298 // JVNDB: JVNDB-2015-004355 // BID: 76348 // VULHUB: VHN-82259

AFFECTED PRODUCTS

vendor:	cisco	model:	unified web and e-mail interaction manager	scope:	eq	version:	9.0\(2\)	Trust: 1.6
vendor:	cisco	model:	unified web and e-mail interaction manager	scope:	eq	version:	11.0\(1\)	Trust: 1.6
vendor:	cisco	model:	unified web and e-mail interaction manager	scope:	eq	version:	11.0(1)	Trust: 0.8
vendor:	cisco	model:	unified web and e-mail interaction manager	scope:	eq	version:	9.0(2)	Trust: 0.8
vendor:	cisco	model:	unified web interaction manager	scope:	eq	version:	9.0(2)	Trust: 0.3
vendor:	cisco	model:	unified web interaction manager	scope:	eq	version:	11.0(1)	Trust: 0.3
vendor:	cisco	model:	unified e-mail interaction manager	scope:	eq	version:	9.0(2)	Trust: 0.3
vendor:	cisco	model:	unified e-mail interaction manager	scope:	eq	version:	11.0(1)	Trust: 0.3

sources: BID: 76348 // JVNDB: JVNDB-2015-004355 // CNNVD: CNNVD-201508-374 // NVD: CVE-2015-4298

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-4298
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2015-4298
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201508-374
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-82259
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2015-4298
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-82259
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-82259 // JVNDB: JVNDB-2015-004355 // CNNVD: CNNVD-201508-374 // NVD: CVE-2015-4298

PROBLEMTYPE DATA

problemtype:	CWE-284	Trust: 1.1
problemtype:	CWE-Other	Trust: 0.8

sources: VULHUB: VHN-82259 // JVNDB: JVNDB-2015-004355 // NVD: CVE-2015-4298

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201508-374

TYPE

Design Error

Trust: 0.3

sources: BID: 76348

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-004355

PATCH

title:

40428

url:

http://tools.cisco.com/security/center/viewAlert.x?alertId=40428

Trust: 0.8

sources: JVNDB: JVNDB-2015-004355

EXTERNAL IDS

db:	NVD	id:	CVE-2015-4298	Trust: 2.8
db:	BID	id:	76348	Trust: 2.0
db:	SECTRACK	id:	1033286	Trust: 1.1
db:	JVNDB	id:	JVNDB-2015-004355	Trust: 0.8
db:	CNNVD	id:	CNNVD-201508-374	Trust: 0.7
db:	VULHUB	id:	VHN-82259	Trust: 0.1

sources: VULHUB: VHN-82259 // BID: 76348 // JVNDB: JVNDB-2015-004355 // CNNVD: CNNVD-201508-374 // NVD: CVE-2015-4298

REFERENCES

url:	http://tools.cisco.com/security/center/viewalert.x?alertid=40428	Trust: 2.0
url:	http://www.securityfocus.com/bid/76348	Trust: 1.7
url:	http://www.securitytracker.com/id/1033286	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-4298	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-4298	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3
url:	http://www.cisco.com/c/en/us/products/customer-collaboration/unified-email-interaction-manager/index.html	Trust: 0.3
url:	http://www.cisco.com/c/en/us/products/customer-collaboration/unified-web-interaction-manager/index.html	Trust: 0.3

sources: VULHUB: VHN-82259 // BID: 76348 // JVNDB: JVNDB-2015-004355 // CNNVD: CNNVD-201508-374 // NVD: CVE-2015-4298

CREDITS

Jakub Kaluzny of Securing.pl

Trust: 0.9

sources: BID: 76348 // CNNVD: CNNVD-201508-374

SOURCES

db:	VULHUB	id:	VHN-82259
db:	BID	id:	76348
db:	JVNDB	id:	JVNDB-2015-004355
db:	CNNVD	id:	CNNVD-201508-374
db:	NVD	id:	CVE-2015-4298

LAST UPDATE DATE

2025-04-13T23:41:20.217000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-82259	date:	2016-12-28T00:00:00
db:	BID	id:	76348	date:	2015-08-13T00:00:00
db:	JVNDB	id:	JVNDB-2015-004355	date:	2015-08-25T00:00:00
db:	CNNVD	id:	CNNVD-201508-374	date:	2015-08-18T00:00:00
db:	NVD	id:	CVE-2015-4298	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-82259	date:	2015-08-19T00:00:00
db:	BID	id:	76348	date:	2015-08-13T00:00:00
db:	JVNDB	id:	JVNDB-2015-004355	date:	2015-08-25T00:00:00
db:	CNNVD	id:	CNNVD-201508-374	date:	2015-08-18T00:00:00
db:	NVD	id:	CVE-2015-4298	date:	2015-08-19T15:59:01.540