Cisco Unified Communications Manager IM and Presence Service information disclosure

Summaryinfo

A vulnerability labeled as problematic has been found in Cisco Unified Communications Manager IM and Presence Service. Affected by this issue is some unknown functionality. Such manipulation leads to information disclosure. This vulnerability is listed as CVE-2024-20457. The attack may be performed from remote. There is no available exploit. The affected component should be upgraded.

Detailsinfo

A vulnerability was found in Cisco Unified Communications Manager IM and Presence Service. It has been rated as problematic. Affected by this issue is an unknown part. The manipulation with an unknown input leads to a information disclosure vulnerability. Using CWE to declare the problem leads to CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Impacted is confidentiality. CVE summarizes:

A vulnerability in the logging component of Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an authenticated, remote attacker to view sensitive information in clear text on an affected system. This vulnerability is due to the storage of unencrypted credentials in certain logs. An attacker could exploit this vulnerability by accessing the logs on an affected system and obtaining credentials that they may not normally have access to. A successful exploit could allow the attacker to access sensitive information from the device.

The advisory is shared for download at sec.cloudapps.cisco.com. This vulnerability is handled as CVE-2024-20457 since 11/08/2023. The exploitation is known to be easy. The attack may be launched remotely. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1592.

Upgrading eliminates this vulnerability.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Productinfo

Type

• Unified Communication Software

Vendor

• Cisco

Name

• Unified Communications Manager IM and Presence Service

Version

• 10.0(1)
• 10.0(1)SU1
• 10.0(1)SU2
• 10.5(1)
• 10.5(1)SU1
• 10.5(1)SU2
• 10.5(1)SU3
• 10.5(2)
• 10.5(2)SU1
• 10.5(2)SU2
• 10.5(2)SU2a
• 10.5(2)SU3
• 10.5(2)SU4
• 10.5(2)SU4a
• 10.5(2a)
• 10.5(2b)
• 11.0
• 11.0(1)
• 11.0(1)SU1
• 11.5(1)
• 11.5(1)SU1
• 11.5(1)SU2
• 11.5(1)SU3
• 11.5(1)SU3a
• 11.5(1)SU4
• 11.5(1)SU5
• 11.5(1)SU5a
• 11.5(1)SU6
• 11.5(1)SU7
• 11.5(1)SU8
• 11.5(1)SU9
• 11.5(1)SU10
• 11.5(1)SU11
• 12.5(1)
• 12.5(1)SU1
• 12.5(1)SU2
• 12.5(1)SU3
• 12.5(1)SU4
• 12.5(1)SU5
• 12.5(1)SU6
• 12.5(1)SU7
• 12.5(1)SU8
• 14
• 14SU1
• 14SU2
• 14SU2a
• 14SU3
• 14SU4
• 15
• 15SU1

License

• commercial

Website

• Vendor: https://www.cisco.com/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Discussion