Cisco Unified Communications Manager 10.0(1.10000.3) Call Detail Records Analysis/Reporting Page cross-site request forgery

| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 4.1 | $0-$5k | 0.00 |
Summary
A vulnerability, which was classified as problematic, has been found in Cisco Unified Communications Manager 10.0(1.10000.3). The impacted element is an unknown function of the component Call Detail Records Analysis/Reporting Page. This manipulation causes cross-site request forgery. The identification of this vulnerability is CVE-2014-0736. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. Applying a patch is the recommended action to fix this issue.
Details
A vulnerability classified as problematic was found in Cisco Unified Communications Manager 10.0(1.10000.3) (Unified Communication Software). Affected by this vulnerability is an unknown functionality of the component Call Detail Records Analysis/Reporting Page. The manipulation with an unknown input leads to a cross-site request forgery vulnerability. The CWE definition for the vulnerability is CWE-352. The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. As an impact it is known to affect integrity. The summary by CVE is:
Cross-site request forgery (CSRF) vulnerability in the Call Detail Records Analysis and Reporting (CAR) page in Cisco Unified Communications Manager (Unified CM) 10.0(1) and earlier allows remote attackers to hijack the authentication of arbitrary users for requests that make CAR modifications, aka Bug ID CSCum46468.
The weakness was shared 02/18/2014 with Cisco as CSCum46468/CSCum95475 as confirmed advisory (Website). The advisory is shared at tools.cisco.com. This vulnerability is known as CVE-2014-0736 since 01/02/2014. The attack can be launched remotely. The exploitation doesn't need any form of authentication. It demands that the victim is doing some kind of user interaction. Technical details are unknown but an exploit is available.
It is declared as highly functional.
Applying the patch CSCum46468/CSCum95475 is able to eliminate this problem. The bugfix is ready for download at tools.cisco.com.
The vulnerability is also documented in the databases at X-Force (91183), SecurityFocus (BID 65640†) and Secunia (SA56957†). The entries VDB-12353, VDB-12352, VDB-12351 and VDB-12350 are related to this item. If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Product
Type
Vendor
Name
Version
License
Website
- Vendor: https://www.cisco.com/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 4.3VulDB Meta Temp Score: 4.1
VulDB Base Score: 4.3
VulDB Temp Score: 4.1
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Cross-site request forgeryCWE: CWE-352 / CWE-862 / CWE-863
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Highly functional
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
0-Day Time: 🔍
Patch: CSCum46468/CSCum95475
Timeline
01/02/2014 🔍02/18/2014 🔍
02/18/2014 🔍
02/20/2014 🔍
02/22/2014 🔍
06/09/2021 🔍
Sources
Vendor: cisco.comAdvisory: CSCum46468/CSCum95475
Organization: Cisco
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2014-0736 (🔍)
GCVE (CVE): GCVE-0-2014-0736
GCVE (VulDB): GCVE-100-12349
X-Force: 91183 - Cisco Unified Communications Manager CAR cross-site request forgery, Medium Risk
SecurityFocus: 65640 - Cisco Unified Communications Manager CVE-2014-0736 Cross Site Request Forgery Vulnerability
Secunia: 56957 - Cisco Unified Communications Manager CAR Interface Cross-Site Request Forgery Vulnerabilit, Less Critical
SecurityTracker: 1029792
scip Labs: https://www.scip.ch/en/?labs.20161013
See also: 🔍
Entry
Created: 02/22/2014 14:43Updated: 06/09/2021 15:58
Changes: 02/22/2014 14:43 (46), 03/30/2019 15:30 (21), 06/09/2021 15:58 (3)
Complete: 🔍
Cache ID: 216::103
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
No comments yet. Languages: en.
Please log in to comment.