ID CVE-2006-3109
Summary Cross-site scripting (XSS) vulnerability in Cisco CallManager 3.3 before 3.3(5)SR3, 4.1 before 4.1(3)SR4, 4.2 before 4.2(3), and 4.3 before 4.3(1), allows remote attackers to inject arbitrary web script or HTML via the (1) pattern parameter in ccmadmin/phonelist.asp and (2) arbitrary parameters in ccmuser/logon.asp, aka bugid CSCsb68657.
References
Vulnerable Configurations
  • cpe:2.3:h:cisco:call_manager:3.3:*:*:*:*:*:*:*
    cpe:2.3:h:cisco:call_manager:3.3:*:*:*:*:*:*:*
  • cpe:2.3:h:cisco:call_manager:3.3\(3\):*:*:*:*:*:*:*
    cpe:2.3:h:cisco:call_manager:3.3\(3\):*:*:*:*:*:*:*
  • cpe:2.3:h:cisco:call_manager:3.3\(3\)es61:*:*:*:*:*:*:*
    cpe:2.3:h:cisco:call_manager:3.3\(3\)es61:*:*:*:*:*:*:*
  • cpe:2.3:h:cisco:call_manager:3.3\(4\)es25:*:*:*:*:*:*:*
    cpe:2.3:h:cisco:call_manager:3.3\(4\)es25:*:*:*:*:*:*:*
  • cpe:2.3:h:cisco:call_manager:3.3\(5\):*:*:*:*:*:*:*
    cpe:2.3:h:cisco:call_manager:3.3\(5\):*:*:*:*:*:*:*
  • cpe:2.3:h:cisco:call_manager:3.3\(5\)es30:*:*:*:*:*:*:*
    cpe:2.3:h:cisco:call_manager:3.3\(5\)es30:*:*:*:*:*:*:*
  • cpe:2.3:h:cisco:call_manager:3.3\(5\)sr1:*:*:*:*:*:*:*
    cpe:2.3:h:cisco:call_manager:3.3\(5\)sr1:*:*:*:*:*:*:*
  • cpe:2.3:h:cisco:call_manager:3.3\(5\)sr2:*:*:*:*:*:*:*
    cpe:2.3:h:cisco:call_manager:3.3\(5\)sr2:*:*:*:*:*:*:*
  • cpe:2.3:h:cisco:call_manager:4.1:*:*:*:*:*:*:*
    cpe:2.3:h:cisco:call_manager:4.1:*:*:*:*:*:*:*
  • cpe:2.3:h:cisco:call_manager:4.1\(2\)es33:*:*:*:*:*:*:*
    cpe:2.3:h:cisco:call_manager:4.1\(2\)es33:*:*:*:*:*:*:*
  • cpe:2.3:h:cisco:call_manager:4.1\(2\)es55:*:*:*:*:*:*:*
    cpe:2.3:h:cisco:call_manager:4.1\(2\)es55:*:*:*:*:*:*:*
  • cpe:2.3:h:cisco:call_manager:4.1\(3\)es07:*:*:*:*:*:*:*
    cpe:2.3:h:cisco:call_manager:4.1\(3\)es07:*:*:*:*:*:*:*
  • cpe:2.3:h:cisco:call_manager:4.1\(3\)es32:*:*:*:*:*:*:*
    cpe:2.3:h:cisco:call_manager:4.1\(3\)es32:*:*:*:*:*:*:*
  • cpe:2.3:h:cisco:call_manager:4.1\(3\)sr1:*:*:*:*:*:*:*
    cpe:2.3:h:cisco:call_manager:4.1\(3\)sr1:*:*:*:*:*:*:*
  • cpe:2.3:h:cisco:call_manager:4.1\(3\)sr2:*:*:*:*:*:*:*
    cpe:2.3:h:cisco:call_manager:4.1\(3\)sr2:*:*:*:*:*:*:*
  • cpe:2.3:h:cisco:call_manager:4.1\(3\)sr3:*:*:*:*:*:*:*
    cpe:2.3:h:cisco:call_manager:4.1\(3\)sr3:*:*:*:*:*:*:*
  • cpe:2.3:h:cisco:call_manager:4.2:*:*:*:*:*:*:*
    cpe:2.3:h:cisco:call_manager:4.2:*:*:*:*:*:*:*
  • cpe:2.3:h:cisco:call_manager:4.2\(1\):*:*:*:*:*:*:*
    cpe:2.3:h:cisco:call_manager:4.2\(1\):*:*:*:*:*:*:*
  • cpe:2.3:h:cisco:call_manager:4.2\(2\):*:*:*:*:*:*:*
    cpe:2.3:h:cisco:call_manager:4.2\(2\):*:*:*:*:*:*:*
  • cpe:2.3:h:cisco:call_manager:4.3:*:*:*:*:*:*:*
    cpe:2.3:h:cisco:call_manager:4.3:*:*:*:*:*:*:*
  • cpe:2.3:h:cisco:call_manager:4.3\(1\):*:*:*:*:*:*:*
    cpe:2.3:h:cisco:call_manager:4.3\(1\):*:*:*:*:*:*:*
CVSS
Base: 4.3 (as of 18-10-2018 - 16:45)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
cvss-vector via4 AV:N/AC:M/Au:N/C:N/I:P/A:N
refmap via4
bid 18504
bugtraq 20060619 Input Validation/Output Encoding Vulnerabilities in Cisco CallManager Allow Script Injection Attacks
cisco 20060619 Cisco Response to: Input Validation/Output Encoding Vulnerabilities in Cisco CallManager Allow Script Injection Attacks
fulldisc
  • 20060619 Input Validation/Output Encoding Vulnerabilities in Cisco CallManager Allow Script Injection Attacks
  • 20060620 Re: Input Validation/Output Encoding Vulnerabilities in Cisco CallManager Allow Script Injection Attacks
misc http://www.fishnetsecurity.com/csirt/disclosure/cisco/Cisco+CallManager+XSS+Advisory.htm
osvdb
  • 26651
  • 26652
sectrack 1016328
secunia 20735
sreason 1114
vupen ADV-2006-2443
xf cisco-callmanager-web-xss(27225)
Last major update 18-10-2018 - 16:45
Published 21-06-2006 - 01:02
Last modified 18-10-2018 - 16:45
Back to Top