SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (VoIP)  >   Cisco Unified Communications Manager (CallManager) Vendors:   Cisco
Cisco Unified Communications Manager Bugs Let Remote Users Modify System Data and Conduct Cross-Site Request Forgery Attacks and Let Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1029843
SecurityTracker URL:  http://securitytracker.com/id/1029843
CVE Reference:   CVE-2014-0740, CVE-2014-0741, CVE-2014-0742, CVE-2014-0743, CVE-2014-0747   (Links to External Site)
Date:  Feb 27 2014
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via local system, Modification of system information, Modification of user information, User access via local system
Vendor Confirmed:  Yes  

Description:   Several vulnerabilities were reported in Cisco Unified Communications Manager. A remote user can modify system information. A local user can read and write files on the target system. A local user can execute arbitrary operating system commands on the target system. A remote user can conduct cross-site request forgery attacks.

A remote user can create a specially crafted URL that, when loaded by a target user, will take actions on the OS Administration Call Detail Records (CDR) Analysis and Reporting (CAR) web interface acting as the target user [CVE-2014-0740].

The vendor has assigned bug ID CSCun00701 to this vulnerability.

A local user can submit a specially crafted command line entry to exploit a flaw in the certificate import Certificate Authority Proxy Function (CAPF) command-line function to read or write arbitrary files to the underlying operating system [CVE-2014-0741].

The vendor has assigned bug ID CSCum95461 to this vulnerability.

A local user can exploit a flaw in the Certificate Authority Proxy Function (CAPF) command-line function for Certificate Signing Request (CSR) management to read or write arbitrary files to the underlying operating system [CVE-2014-0742].

The vendor has assigned bug ID CSCum95464 to this vulnerability.

A remote user can exploit a flaw in the Certificate Authority Proxy Function (CAPF) to modify information related to registered devices [CVE-2014-0743].

The vendor has assigned bug ID CSCum95468 to this vulnerability.

Impact:   A remote user can take actions on the interface acting as the target user.

A remote user can modify information related to registered devices.

A local user can read and write files on the target system.

A local user can execute arbitrary operating system commands on the target system.
Solution:   No solution was available at the time of this entry.

The vendor's advisories are available at:

http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-0740
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-0741
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-0742
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-0743
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-0747
Vendor URL:  tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-0742 (Links to External Site)
Cause:   Access control error, Input validation error

Message History:   None.

 Source Message Contents


[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC