CVE-2017-12212

Severity Score

6.1

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A vulnerability in the web framework of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the web interface of an affected system. The vulnerability is due to insufficient input validation of certain parameters that are passed to the affected software via the HTTP GET and HTTP POST methods. An attacker who can convince a user to follow an attacker-supplied link could execute arbitrary script or HTML code in the user's browser in the context of an affected site. Known Affected Releases 10.5(2). Cisco Bug IDs: CSCvf25345.

Una vulnerabilidad en el framework web de Cisco Unity Connection podría permitir que un atacante remoto no autenticado llevase a cabo un ataque de Cross-Site Scripting (XSS) reflejado contra un usuario de la interfaz web de un sistema afectado. La vulnerabilidad se debe a una validación de entrada insuficiente de algunos parámetros que se pasan al software afectado mediante los métodos HTTP GET y HTTP POST. Un atacante que pudiera convencer a un usuario para que abra un enlace proporcionado por el atacante podría ejecutar código HTML o scripts arbitrarios en el navegador del usuario en el contexto de una página afectada. Versiones afectadas conocidas 10.5(2): Cisco Bug IDs: CSCvf25345.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-08-03 CVE Reserved
2017-09-07 CVE Published
2023-03-07 EPSS Updated
2024-08-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (4)

URL	Tag	Source
http://www.securityfocus.com/bid/100645	Third Party Advisory
http://www.securitytracker.com/id/1039277	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://quickview.cloudapps.cisco.com/quickview/bug/CSCvf25345	2019-10-09
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170906-cuc	2019-10-09

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Cisco Search vendor "Cisco"		Unity Connection Search vendor "Cisco" for product "Unity Connection"				10.5\(2\) Search vendor "Cisco" for product "Unity Connection" and version "10.5\(2\)"		-		Affected