CVE-2018-0266

Severity Score

4.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A vulnerability in the web framework of Cisco Unified Communications Manager could allow an authenticated, remote attacker to view sensitive data. The vulnerability is due to insufficient protection of database tables over the web interface. An attacker could exploit this vulnerability by browsing to a specific URL. An exploit could allow the attacker to view configuration parameters. Cisco Bug IDs: CSCvf20218.

Una vulnerabilidad en el framework web de Cisco Unified Communications Manager podría permitir que un atacante remoto autenticado visualice datos sensibles. Esta vulnerabilidad se debe a una protección de tablas de bases de datos insuficiente en la interfaz web. Un atacante podría explotar esta vulnerabilidad navegando hasta una URL específica. Su explotación podría permitir que el atacante vea parámetros de configuración. Cisco Bug IDs: CSCvf20218.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-11-27 CVE Reserved
2018-04-19 CVE Published
2023-09-10 EPSS Updated
2024-08-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-425: Direct Request ('Forced Browsing')

CAPEC

References (3)

URL	Tag	Source
http://www.securityfocus.com/bid/103933	Third Party Advisory
http://www.securitytracker.com/id/1040718	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-ucm	2020-09-04

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Cisco Search vendor "Cisco"		Unified Communications Manager Search vendor "Cisco" for product "Unified Communications Manager"				10.5\(2.10000.5\) Search vendor "Cisco" for product "Unified Communications Manager" and version "10.5\(2.10000.5\)"		-		Affected
Cisco Search vendor "Cisco"		Unified Communications Manager Search vendor "Cisco" for product "Unified Communications Manager"				11.0\(1.10000.10\) Search vendor "Cisco" for product "Unified Communications Manager" and version "11.0\(1.10000.10\)"		-		Affected
Cisco Search vendor "Cisco"		Unified Communications Manager Search vendor "Cisco" for product "Unified Communications Manager"				11.5\(1.10000.6\) Search vendor "Cisco" for product "Unified Communications Manager" and version "11.5\(1.10000.6\)"		-		Affected
Cisco Search vendor "Cisco"		Unified Communications Manager Search vendor "Cisco" for product "Unified Communications Manager"				12.0\(1.10000.10\) Search vendor "Cisco" for product "Unified Communications Manager" and version "12.0\(1.10000.10\)"		-		Affected