Details of VAR-201702-0793

ID

VAR-201702-0793

CVE

CVE-2017-3828

TITLE

Cisco Unified Communications Manager Switch Web -Based scripting interface cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-001681

DESCRIPTION

A vulnerability in the web-based management interface of Cisco Unified Communications Manager Switches could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. More Information: CSCvb98777. Known Affected Releases: 11.0(1.10000.10) 11.5(1.10000.6). Known Fixed Releases: 11.0(1.23063.1) 11.5(1.12029.1) 11.5(1.12900.11) 11.5(1.12900.21) 11.6(1.10000.4) 12.0(0.98000.156) 12.0(0.98000.178) 12.0(0.98000.369) 12.0(0.98000.470) 12.0(0.98000.536) 12.0(0.98000.6) 12.0(0.98500.6). An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCvb98777. Cisco Unified Communications Manager (CUCM, Unified CM, CallManager) is a call processing component in a unified communication system of Cisco (Cisco). This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution

Trust: 1.98

sources: NVD: CVE-2017-3828 // JVNDB: JVNDB-2017-001681 // BID: 96240 // VULHUB: VHN-112031

AFFECTED PRODUCTS

vendor:	cisco	model:	unified communications manager	scope:	eq	version:	11.0\(1.10000.10\)	Trust: 1.6
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	11.5\(1.10000.6\)	Trust: 1.6
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	11.5(1.10000.6)	Trust: 1.1
vendor:	cisco	model:	unified communications manager	scope:	eq	version:	11.0(1.10000.10)	Trust: 1.1
vendor:	cisco	model:	unified communications manager	scope:	ne	version:	12.0(0.98000.536)	Trust: 0.3
vendor:	cisco	model:	unified communications manager	scope:	ne	version:	12.0(0.98000.470)	Trust: 0.3
vendor:	cisco	model:	unified communications manager	scope:	ne	version:	12.0(0.98000.369)	Trust: 0.3
vendor:	cisco	model:	unified communications manager	scope:	ne	version:	12.0(0.98000.178)	Trust: 0.3
vendor:	cisco	model:	unified communications manager	scope:	ne	version:	12.0(0.98000.156)	Trust: 0.3
vendor:	cisco	model:	unified communications manager	scope:	ne	version:	11.6(1.10000.4)	Trust: 0.3
vendor:	cisco	model:	unified communications manager	scope:	ne	version:	11.5(1.12900.21)	Trust: 0.3
vendor:	cisco	model:	unified communications manager	scope:	ne	version:	11.5(1.12900.11)	Trust: 0.3
vendor:	cisco	model:	unified communications manager	scope:	ne	version:	11.5(1.12029.1)	Trust: 0.3
vendor:	cisco	model:	unified communications manager	scope:	ne	version:	11.5(0.98000.480)	Trust: 0.3

sources: BID: 96240 // JVNDB: JVNDB-2017-001681 // NVD: CVE-2017-3828 // CNNVD: CNNVD-201702-661

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD:	CVE-2017-3828
value:	MEDIUM
Trust: 1.8
CNNVD:	CNNVD-201702-661
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-112031
value:	MEDIUM
Trust: 0.1

NVD:
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	FALSE
obtainAllPrivilege:	FALSE
obtainUserPrivilege:	FALSE
obtainOtherPrivilege:	FALSE
userInteractionRequired:	TRUE
version:	2.0
Trust: 1.0
NVD:	CVE-2017-3828
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULHUB:	VHN-112031
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

NVD:
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.0
Trust: 1.0
NVD:	CVE-2017-3828
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-112031 // JVNDB: JVNDB-2017-001681 // NVD: CVE-2017-3828 // CNNVD: CNNVD-201702-661

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-112031 // JVNDB: JVNDB-2017-001681 // NVD: CVE-2017-3828

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201702-661

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201702-661

CONFIGURATIONS

sources: NVD: CVE-2017-3828

PATCH

title:	cisco-sa-20170215-cucm1	url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20170215-cucm1	Trust: 0.8
title:	Cisco Unified Communications Manager Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=68170	Trust: 0.6

sources: JVNDB: JVNDB-2017-001681 // CNNVD: CNNVD-201702-661

EXTERNAL IDS

db:	NVD	id:	CVE-2017-3828	Trust: 2.8
db:	BID	id:	96240	Trust: 2.0
db:	SECTRACK	id:	1037839	Trust: 1.1
db:	JVNDB	id:	JVNDB-2017-001681	Trust: 0.8
db:	CNNVD	id:	CNNVD-201702-661	Trust: 0.7
db:	VULHUB	id:	VHN-112031	Trust: 0.1

sources: VULHUB: VHN-112031 // BID: 96240 // JVNDB: JVNDB-2017-001681 // NVD: CVE-2017-3828 // CNNVD: CNNVD-201702-661

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20170215-cucm1	Trust: 2.0
url:	http://www.securityfocus.com/bid/96240	Trust: 1.7
url:	http://www.securitytracker.com/id/1037839	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-3828	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2017-3828	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3
url:	http://www.cisco.com/en/us/products/sw/voicesw/ps556/index.html	Trust: 0.3

sources: VULHUB: VHN-112031 // BID: 96240 // JVNDB: JVNDB-2017-001681 // NVD: CVE-2017-3828 // CNNVD: CNNVD-201702-661

CREDITS

Cisco

Trust: 0.9

sources: BID: 96240 // CNNVD: CNNVD-201702-661

SOURCES

db:	VULHUB	id:	VHN-112031
db:	BID	id:	96240
db:	JVNDB	id:	JVNDB-2017-001681
db:	NVD	id:	CVE-2017-3828
db:	CNNVD	id:	CNNVD-201702-661

LAST UPDATE DATE

2023-12-18T12:37:36.370000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-112031	date:	2017-07-25T00:00:00
db:	BID	id:	96240	date:	2017-03-07T03:03:00
db:	JVNDB	id:	JVNDB-2017-001681	date:	2017-03-13T00:00:00
db:	NVD	id:	CVE-2017-3828	date:	2017-07-25T01:29:08.967
db:	CNNVD	id:	CNNVD-201702-661	date:	2017-02-22T00:00:00

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-112031	date:	2017-02-22T00:00:00
db:	BID	id:	96240	date:	2017-02-15T00:00:00
db:	JVNDB	id:	JVNDB-2017-001681	date:	2017-03-13T00:00:00
db:	NVD	id:	CVE-2017-3828	date:	2017-02-22T02:59:00.263
db:	CNNVD	id:	CNNVD-201702-661	date:	2017-02-22T00:00:00