9
CVE-2009-0632
- EPSS 1.31%
- Published 12.03.2009 15:20:49
- Last modified 09.04.2025 00:30:58
- Source psirt@cisco.com
- Teams watchlist Login
- Open Login
The IP Phone Personal Address Book (PAB) Synchronizer feature in Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 4.1, 4.2 before 4.2(3)SR4b, 4.3 before 4.3(2)SR1b, 5.x before 5.1(3e), 6.x before 6.1(3), and 7.0 before 7.0(2) sends privileged directory-service account credentials to the client in cleartext, which allows remote attackers to modify the CUCM configuration and perform other privileged actions by intercepting these credentials, and then using them in requests unrelated to the intended synchronization task, as demonstrated by (1) DC Directory account credentials in CUCM 4.x and (2) TabSyncSysUser account credentials in CUCM 5.x through 7.x.
Data is provided by the National Vulnerability Database (NVD)
Cisco ≫ Unified Communications Manager Version4.1
Cisco ≫ Unified Communications Manager Version4.2
Cisco ≫ Unified Communications Manager Version4.3
Cisco ≫ Unified Communications Manager Version5.0
Cisco ≫ Unified Communications Manager Version6.0
Cisco ≫ Unified Communications Manager Version6.1
Cisco ≫ Unified Communications Manager Version7.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.31% | 0.789 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 9 | 8 | 10 |
AV:N/AC:L/Au:S/C:C/I:C/A:C
|