7.2

CVE-2023-20266

A vulnerability in Cisco Emergency Responder, Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unity Connection could allow an authenticated, remote attacker to elevate privileges to root on an affected device.

 This vulnerability exists because the application does not properly restrict the files that are being used for upgrades. An attacker could exploit this vulnerability by providing a crafted upgrade file. A successful exploit could allow the attacker to elevate privileges to root. To exploit this vulnerability, the attacker must have valid platform administrator credentials on an affected device.

Data is provided by the National Vulnerability Database (NVD)
CiscoEmergency Responder Version12.5.1su4
CiscoEmergency Responder Version12.5.1su8a
CiscoEmergency Responder Version14su3
CiscoUnified Communications Manager Version12.5.1su8 SwEdition-
CiscoUnified Communications Manager Version12.5.1su8 SwEditionsession_management
CiscoUnity Connection Version12.5(1)su6
CiscoUnity Connection Version12.5(1)su7
CiscoUnity Connection Version12.5(1)su8
CiscoUnity Connection Version14su2
CiscoUnity Connection Version14su3
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.04% 0.089
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 7.2 1.2 5.9
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
psirt@cisco.com 6.5 1.2 5.2
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CWE-347 Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.