Cisco Unified Communications Manager Web-based Interface cross-site request forgery
CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
---|---|---|
6.0 | $0-$5k | 0.00 |
A vulnerability, which was classified as problematic, has been found in Cisco Unified Communications Manager, Unified Communications Manager Session Management Edition, Unified Communications Manager IM, Presence and Unity Connection (Unified Communication Software). Affected by this issue is some unknown functionality of the component Web-based Interface. The manipulation with an unknown input leads to a cross-site request forgery vulnerability. Using CWE to declare the problem leads to CWE-352. The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. Impacted is integrity. CVE summarizes:
A vulnerability in the web-based interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition (SME), Cisco Unified Communications Manager IM and Presence (Unified CM IM&P) Service, and Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections by the affected software. An attacker could exploit this vulnerability by persuading a targeted user to click a malicious link. A successful exploit could allow the attacker to send arbitrary requests that could change the password of a targeted user. An attacker could then take unauthorized actions on behalf of the targeted user.
The weakness was released 10/02/2019 as cisco-sa-20191002-cucm-csrf as confirmed advisory (Website). The advisory is available at tools.cisco.com. This vulnerability is handled as CVE-2019-1915 since 12/06/2018. The attack may be launched remotely. No form of authentication is required for exploitation. The technical details are unknown and an exploit is not available.
Upgrading eliminates this vulnerability.
Entries connected to this vulnerability are available at VDB-170101, VDB-174583, VDB-176762 and VDB-176763.
Product
Type
Vendor
Name
- Presence
- Unified Communications Manager
- Unified Communications Manager IM
- Unified Communications Manager Session Management Edition
- Unity Connection
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 6.1VulDB Meta Temp Score: 6.0
VulDB Base Score: 5.3
VulDB Temp Score: 5.1
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 6.5
NVD Vector: 🔍
CNA Base Score: 6.5
CNA Vector (Cisco Systems, Inc.): 🔍
CVSSv2
AV | AC | Au | C | I | A |
---|---|---|---|---|---|
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
---|---|---|---|---|---|
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Cross-site request forgeryCWE: CWE-352 / CWE-862 / CWE-863
CAPEC: 🔍
ATT&CK: 🔍
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
0-Day | unlock | unlock | unlock | unlock |
---|---|---|---|---|
Today | unlock | unlock | unlock | unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Timeline
12/06/2018 🔍10/02/2019 🔍
10/03/2019 🔍
12/29/2023 🔍
Sources
Vendor: cisco.comAdvisory: cisco-sa-20191002-cucm-csrf
Status: Confirmed
CVE: CVE-2019-1915 (🔍)
See also: 🔍
Entry
Created: 10/03/2019 10:43 AMUpdated: 12/29/2023 09:20 PM
Changes: 10/03/2019 10:43 AM (39), 09/20/2020 10:47 AM (18), 12/29/2023 09:20 PM (14)
Complete: 🔍
Cache ID: 44:145:40
No comments yet. Languages: en.
Please log in to comment.