cnvd - cnvd-2018-11351

cnvd-2018-11351

Vulnerability from cnvd

Title: Cisco Unified Communications Manager输入验证漏洞

Description:

Cisco Unified Communications Manager（CUCM，Unified CM，CallManager）是美国思科（Cisco）公司的一款统一通信系统中的呼叫处理组件。该组件提供了一种可扩展、可分布和高可用的企业IP电话呼叫处理解决方案。

Cisco Unified CM中的Web UI存在输入验证漏洞，该漏洞源于程序未能充分的保护HTML iframes。远程攻击者可通过诱使用户导航到被攻击者控制并包含有恶意HTML iframe的网站利用该漏洞实施点击劫持攻击或其他针对客户端浏览器的攻击。

Severity: 中

Patch Name: Cisco Unified Communications Manager输入验证漏洞的补丁

Patch Description:

Cisco Unified CM中的Web UI存在输入验证漏洞，该漏洞源于程序未能充分的保护HTML iframes。远程攻击者可通过诱使用户导航到被攻击者控制并包含有恶意HTML iframe的网站利用该漏洞实施点击劫持攻击或其他针对客户端浏览器的攻击。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg19761

Reference: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-cucm-xfs

Impacted products

Name
Cisco Systems, Inc. Cisco Unified Communications Manager

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-0355"
    }
  },
  "description": "Cisco Unified Communications Manager\uff08CUCM\uff0cUnified CM\uff0cCallManager\uff09\u662f\u7f8e\u56fd\u601d\u79d1\uff08Cisco\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u7edf\u4e00\u901a\u4fe1\u7cfb\u7edf\u4e2d\u7684\u547c\u53eb\u5904\u7406\u7ec4\u4ef6\u3002\u8be5\u7ec4\u4ef6\u63d0\u4f9b\u4e86\u4e00\u79cd\u53ef\u6269\u5c55\u3001\u53ef\u5206\u5e03\u548c\u9ad8\u53ef\u7528\u7684\u4f01\u4e1aIP\u7535\u8bdd\u547c\u53eb\u5904\u7406\u89e3\u51b3\u65b9\u6848\u3002\r\n\r\nCisco Unified CM\u4e2d\u7684Web UI\u5b58\u5728\u8f93\u5165\u9a8c\u8bc1\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u80fd\u5145\u5206\u7684\u4fdd\u62a4HTML iframes\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u8bf1\u4f7f\u7528\u6237\u5bfc\u822a\u5230\u88ab\u653b\u51fb\u8005\u63a7\u5236\u5e76\u5305\u542b\u6709\u6076\u610fHTML iframe\u7684\u7f51\u7ad9\u5229\u7528\u8be5\u6f0f\u6d1e\u5b9e\u65bd\u70b9\u51fb\u52ab\u6301\u653b\u51fb\u6216\u5176\u4ed6\u9488\u5bf9\u5ba2\u6237\u7aef\u6d4f\u89c8\u5668\u7684\u653b\u51fb\u3002",
  "discovererName": "Cisco",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg19761",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-11351",
  "openTime": "2018-06-12",
  "patchDescription": "Cisco Unified Communications Manager\uff08CUCM\uff0cUnified CM\uff0cCallManager\uff09\u662f\u7f8e\u56fd\u601d\u79d1\uff08Cisco\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u7edf\u4e00\u901a\u4fe1\u7cfb\u7edf\u4e2d\u7684\u547c\u53eb\u5904\u7406\u7ec4\u4ef6\u3002\u8be5\u7ec4\u4ef6\u63d0\u4f9b\u4e86\u4e00\u79cd\u53ef\u6269\u5c55\u3001\u53ef\u5206\u5e03\u548c\u9ad8\u53ef\u7528\u7684\u4f01\u4e1aIP\u7535\u8bdd\u547c\u53eb\u5904\u7406\u89e3\u51b3\u65b9\u6848\u3002\r\n\r\nCisco Unified CM\u4e2d\u7684Web UI\u5b58\u5728\u8f93\u5165\u9a8c\u8bc1\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u80fd\u5145\u5206\u7684\u4fdd\u62a4HTML iframes\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u8bf1\u4f7f\u7528\u6237\u5bfc\u822a\u5230\u88ab\u653b\u51fb\u8005\u63a7\u5236\u5e76\u5305\u542b\u6709\u6076\u610fHTML iframe\u7684\u7f51\u7ad9\u5229\u7528\u8be5\u6f0f\u6d1e\u5b9e\u65bd\u70b9\u51fb\u52ab\u6301\u653b\u51fb\u6216\u5176\u4ed6\u9488\u5bf9\u5ba2\u6237\u7aef\u6d4f\u89c8\u5668\u7684\u653b\u51fb\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Cisco Unified Communications Manager\u8f93\u5165\u9a8c\u8bc1\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Cisco Systems, Inc. Cisco Unified Communications Manager"
  },
  "referenceLink": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-cucm-xfs",
  "serverity": "\u4e2d",
  "submitTime": "2018-06-12",
  "title": "Cisco Unified Communications Manager\u8f93\u5165\u9a8c\u8bc1\u6f0f\u6d1e"
}

CVE-2018-0355 (GCVE-0-2018-0355)

Vulnerability from cvelistv5

Published

2018-06-07 21:00

Modified

2024-11-29 15:03

Severity ?

CWE

CWE-20

Summary

A vulnerability in the web UI of Cisco Unified Communications Manager (Unified CM) could allow an unauthenticated, remote attacker to conduct a cross-frame scripting (XFS) attack against the user of the web UI of an affected system. The vulnerability is due to insufficient protections for HTML inline frames (iframes) by the web UI of the affected software. An attacker could exploit this vulnerability by persuading a user of the affected UI to navigate to an attacker-controlled web page that contains a malicious HTML iframe. A successful exploit could allow the attacker to conduct click-jacking or other client-side browser attacks on the affected system. Cisco Bug IDs: CSCvg19761.

References

▼	URL	Tags
	http://www.securityfocus.com/bid/104425	vdb-entry, x_refsource_BID
	http://www.securitytracker.com/id/1041068	vdb-entry, x_refsource_SECTRACK
	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-cucm-xfs	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	n/a	Cisco Unified Communications Manager unknown	Version: Cisco Unified Communications Manager unknown

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T03:21:15.458Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "104425",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/104425"
          },
          {
            "name": "1041068",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1041068"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-cucm-xfs"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2018-0355",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-29T14:37:44.595858Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-29T15:03:27.837Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Cisco Unified Communications Manager unknown",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Cisco Unified Communications Manager unknown"
            }
          ]
        }
      ],
      "datePublic": "2018-06-07T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability in the web UI of Cisco Unified Communications Manager (Unified CM) could allow an unauthenticated, remote attacker to conduct a cross-frame scripting (XFS) attack against the user of the web UI of an affected system. The vulnerability is due to insufficient protections for HTML inline frames (iframes) by the web UI of the affected software. An attacker could exploit this vulnerability by persuading a user of the affected UI to navigate to an attacker-controlled web page that contains a malicious HTML iframe. A successful exploit could allow the attacker to conduct click-jacking or other client-side browser attacks on the affected system. Cisco Bug IDs: CSCvg19761."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-06-14T09:57:01",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "name": "104425",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/104425"
        },
        {
          "name": "1041068",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1041068"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-cucm-xfs"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@cisco.com",
          "ID": "CVE-2018-0355",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Cisco Unified Communications Manager unknown",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Cisco Unified Communications Manager unknown"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A vulnerability in the web UI of Cisco Unified Communications Manager (Unified CM) could allow an unauthenticated, remote attacker to conduct a cross-frame scripting (XFS) attack against the user of the web UI of an affected system. The vulnerability is due to insufficient protections for HTML inline frames (iframes) by the web UI of the affected software. An attacker could exploit this vulnerability by persuading a user of the affected UI to navigate to an attacker-controlled web page that contains a malicious HTML iframe. A successful exploit could allow the attacker to conduct click-jacking or other client-side browser attacks on the affected system. Cisco Bug IDs: CSCvg19761."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-20"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "104425",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/104425"
            },
            {
              "name": "1041068",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1041068"
            },
            {
              "name": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-cucm-xfs",
              "refsource": "CONFIRM",
              "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-cucm-xfs"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2018-0355",
    "datePublished": "2018-06-07T21:00:00",
    "dateReserved": "2017-11-27T00:00:00",
    "dateUpdated": "2024-11-29T15:03:27.837Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted