Lucene search

CiscoCVELIST:CVE-2021-1246

HistoryJan 13, 2021 - 9:17 p.m.

CVE-2021-1246 Cisco Finesse OpenSocial Gadget Editor Unauthenticated Access Vulnerability

2021-01-1321:17:33

cisco

www.cve.org

cisco finesse

web-based management interface

cross-site scripting

authentication mechanism

confidential information

cve-2021-1246

vulnerabilities

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

EPSS

0.002

Percentile

51.5%

JSON

Cisco Finesse, Cisco Virtualized Voice Browser, and Cisco Unified CVP OpenSocial Gadget Editor Unauthenticated Access Vulnerability

A vulnerability in the web management interface of Cisco Finesse, Cisco Virtualized Voice Browser, and Cisco Unified CVP could allow an unauthenticated, remote attacker to access the OpenSocial Gadget Editor without providing valid user credentials.
The vulnerability is due to missing authentication for a specific section of the web-based management interface. An attacker could exploit this vulnerability by accessing a crafted URL. A successful exploit could allow the attacker to obtain access to a section of the interface, which they could use to obtain potentially confidential information and create arbitrary XML files.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

CNA Affected

[
  {
    "vendor": "Cisco",
    "product": "Cisco Unified Customer Voice Portal (CVP)",
    "versions": [
      {
        "version": "12.6(2)_ES4",
        "status": "affected"
      },
      {
        "version": "12.6(2)_ET5",
        "status": "affected"
      },
      {
        "version": "12.6(2)_ET7",
        "status": "affected"
      },
      {
        "version": "12.6(2)_ET8",
        "status": "affected"
      },
      {
        "version": "12.6(2)_ES9",
        "status": "affected"
      },
      {
        "version": "12.6(2)_ES10",
        "status": "affected"
      },
      {
        "version": "12.6(2)_ES11",
        "status": "affected"
      },
      {
        "version": "12.6(2)_ET12",
        "status": "affected"
      },
      {
        "version": "12.6(2)_ET13",
        "status": "affected"
      },
      {
        "version": "12.6(2)_ES14",
        "status": "affected"
      },
      {
        "version": "12.6(2)_ES15",
        "status": "affected"
      },
      {
        "version": "12.6(2)_ET16",
        "status": "affected"
      },
      {
        "version": "12.6(2)_ET17",
        "status": "affected"
      }
    ],
    "defaultStatus": "unknown"
  }
]

References

sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-multi-vuln-finesse-qp6gbUO2

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

EPSS

0.002

Percentile

51.5%

JSON

Related for CVELIST:CVE-2021-1246