Cisco Unified Communications Manager Bugs Let Remote Users Modify System Data and Conduct Cross-Site Request Forgery Attacks and Let Local Users Gain Elevated Privileges
|
SecurityTracker Alert ID: 1029843 |
SecurityTracker URL: http://securitytracker.com/id/1029843
|
CVE Reference:
CVE-2014-0740, CVE-2014-0741, CVE-2014-0742, CVE-2014-0743, CVE-2014-0747
(Links to External Site)
|
Date: Feb 27 2014
|
Impact:
Disclosure of system information, Disclosure of user information, Execution of arbitrary code via local system, Modification of system information, Modification of user information, User access via local system
|
Vendor Confirmed: Yes
|
|
Description:
Several vulnerabilities were reported in Cisco Unified Communications Manager. A remote user can modify system information. A local user can read and write files on the target system. A local user can execute arbitrary operating system commands on the target system. A remote user can conduct cross-site request forgery attacks.
A remote user can create a specially crafted URL that, when loaded by a target user, will take actions on the OS Administration Call Detail Records (CDR) Analysis and Reporting (CAR) web interface acting as the target user [CVE-2014-0740].
The vendor has assigned bug ID CSCun00701 to this vulnerability.
A local user can submit a specially crafted command line entry to exploit a flaw in the certificate import Certificate Authority Proxy Function (CAPF) command-line function to read or write arbitrary files to the underlying operating system [CVE-2014-0741].
The vendor has assigned bug ID CSCum95461 to this vulnerability.
A local user can exploit a flaw in the Certificate Authority Proxy Function (CAPF) command-line function for Certificate Signing Request (CSR) management to read or write arbitrary files to the underlying operating system [CVE-2014-0742].
The vendor has assigned bug ID CSCum95464 to this vulnerability.
A remote user can exploit a flaw in the Certificate Authority Proxy Function (CAPF) to modify information related to registered devices [CVE-2014-0743].
The vendor has assigned bug ID CSCum95468 to this vulnerability.
|
Impact:
A remote user can take actions on the interface acting as the target user.
A remote user can modify information related to registered devices.
A local user can read and write files on the target system.
A local user can execute arbitrary operating system commands on the target system.
|
Solution:
No solution was available at the time of this entry.
The vendor's advisories are available at:
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-0740
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-0741
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-0742
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-0743
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-0747
|
Vendor URL: tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-0742 (Links to External Site)
|
Cause:
Access control error, Input validation error
|
|
Message History:
None.
|
Source Message Contents
|
|
[Original Message Not Available for Viewing]
|
|