CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2020-3177 – Cisco Unified Communications Manager Path Traversal Vulnerability
https://notcve.org/view.php?id=CVE-2020-3177
A vulnerability in the Tool for Auto-Registered Phones Support (TAPS) of Cisco Unified Communications Manager (UCM) and Cisco Unified Communications Manager Session Management Edition (SME) could allow an unauthenticated, remote attacker to conduct directory traversal attacks on an affected device. The vulnerability is due to insufficient validation of user-supplied input to the TAPS interface of the affected device. An attacker could exploit this vulnerability by sending a crafted request to the TAPS interface. A successful exploit could allow the attacker to read arbitrary files in the system. Una vulnerabilidad en la Tool for Auto-Registered Phones Support (TAPS) de Cisco Unified Communications Manager (UCM) y Cisco Unified Communications Manager Session Management Edition (SME) podría permitir a un atacante remoto no autenticado conducir ataques de salto de directorio sobre un dispositivo afectado. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-taps-path-trav-pfsFO93r • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.0EPSS: 2%CPEs: 5EXPL: 0CVE-2019-1888 – Cisco Unified Contact Center Express Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2019-1888
A vulnerability in the Administration Web Interface of Cisco Unified Contact Center Express (Unified CCX) could allow an authenticated, remote attacker to upload arbitrary files and execute commands on the underlying operating system. To exploit this vulnerability, an attacker needs valid Administrator credentials. The vulnerability is due to insufficient restrictions for the content uploaded to an affected system. An attacker could exploit this vulnerability by uploading arbitrary files containing operating system commands that will be executed by an affected system. A successful exploit could allow the attacker to execute arbitrary commands with the privileges of the web interface and then elevate their privileges to root. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-uccx-privesc-Zd7bvwyf • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2019-15278 – Cisco Finesse Cross-Site Scripting Vulnerability
https://notcve.org/view.php?id=CVE-2019-15278
A vulnerability in the web-based management interface of Cisco Finesse could allow an unauthenticated, remote attacker to bypass authorization and access sensitive information related to the device. The vulnerability exists because the software fails to sanitize URLs before it handles requests. An attacker could exploit this vulnerability by submitting a crafted URL. A successful exploit could allow the attacker to gain unauthorized access to sensitive information. Una vulnerabilidad en la interfaz de administración basada en web de Cisco Finesse, podría permitir a un atacante remoto no autenticado omitir la autorización y acceder a información confidencial relacionada con el dispositivo. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200108-finesse-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2019-15259 – Cisco Unified Contact Center Express HTTP Response Splitting Vulnerability
https://notcve.org/view.php?id=CVE-2019-15259
A vulnerability in Cisco Unified Contact Center Express (UCCX) Software could allow an unauthenticated, remote attacker to conduct an HTTP response splitting attack. The vulnerability is due to insufficient input validation of some parameters that are passed to the web server of the affected system. An attacker could exploit this vulnerability by convincing a user to follow a malicious link or by intercepting a user request on an affected device. A successful exploit could allow the attacker to perform cross-site scripting attacks, web cache poisoning, access sensitive browser-based information, and similar exploits. Una vulnerabilidad en el Software Cisco Unified Contact Center Express (UCCX), podría permitir a un atacante remoto no autenticado realizar un ataque de división de respuesta HTTP. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191002-uccx- • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2019-12633 – Cisco Unified Contact Center Express Request Processing Server-Side Request Forgery Vulnerability
https://notcve.org/view.php?id=CVE-2019-12633
A vulnerability in Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to bypass access controls and conduct a server-side request forgery (SSRF) attack on a targeted system. The vulnerability is due to improper validation of user-supplied input on the affected system. An attacker could exploit this vulnerability by sending the user of the web application a crafted request. If the request is processed, the attacker could access the system and perform unauthorized actions. Una vulnerabilidad en Cisco Unified Contact Center Express (Unified CCX) podría permitir a un atacante remoto no autenticado omitir los controles de acceso y conducir un ataque de tipo server-side request forgery (SSRF) en un sistema de destino. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190904-unified-ccx-ssrf • CWE-20: Improper Input Validation CWE-918: Server-Side Request Forgery (SSRF) •