CVE-2021-1399

EPSS 0.07%
Published 08.04.2021 04:15:12
Last modified 21.11.2024 05:44:15
Source psirt@cisco.com
Teams watchlist Login
Open Login

A vulnerability in the Self Care Portal of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to modify data on an affected system without proper authorization. The vulnerability is due to insufficient validation of user-supplied data to the Self Care Portal. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected system. A successful exploit could allow the attacker to modify information without proper authorization.

Affected products Warnungen 0 Metrics 4 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Cisco ≫ Unified Communications Manager SwEdition- Version >= 10.5\(2\) < 12.5\(1\)su4

Cisco ≫ Unified Communications Manager SwEditionsession_management Version >= 10.5\(2\) < 12.5\(1\)su4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.07%	0.223

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
nvd@nist.gov	4	8	2.9	AV:N/AC:L/Au:S/C:N/I:P/A:N
psirt@cisco.com	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE-302 Authentication Bypass by Assumed-Immutable Data

The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-selfcare-VRWWWHgE

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-1399

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-1399

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-1399

EUVD