CVE-2019-19257

Current Description

A vulnerability in the web-based interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition (SME), Cisco Unified Communications Manager IM and Presence (Unified CM IM&P) Service, and Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections by the affected software. An attacker could exploit this vulnerability by persuading a targeted user to click a malicious link. A successful exploit could allow the attacker to send arbitrary requests that could change the password of a targeted user. An attacker could then take unauthorized actions on behalf of the targeted user.

Basic Data

PublishedOctober 02, 2019
Last ModifiedOctober 09, 2019
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-352
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityMEDIUM
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactNONE
CVSS 2 - Availability ImpactNONE
CVSS 2 - Base Score4.3
SeverityMEDIUM
Exploitability Score8.6
Impact Score2.9
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationCiscoUnified Communications Manager10.5(2.10000.5)*******
    2.3ApplicationCiscoUnified Communications Manager11.5(1.10000.6)*******
    2.3ApplicationCiscoUnified Communications Manager12.0(1.10000.10)*******
    2.3ApplicationCiscoUnified Communications Manager12.5(1.10000.22)*******
  • OR - Configuration 2
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationCiscoUnity Connection11.5*******
    2.3ApplicationCiscoUnity Connection12.0*******
    2.3ApplicationCiscoUnity Connection12.5*******
    2.3ApplicationCiscoUnity Connection14.0*******
  • OR - Configuration 3
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationCiscoUnified Communications Manager Im And Presence Service12.5(1)*******

Vulnerable Software List

VendorProductVersions
Cisco Unified Communications Manager 10.5(2.10000.5), 11.5(1.10000.6), 12.0(1.10000.10), 12.5(1.10000.22)
Cisco Unity Connection 11.5, 12.0, 12.5, 14.0
Cisco Unified Communications Manager Im And Presence Service 12.5(1)

References

NameSourceURLTags
20191002 Multiple Cisco Unified Communications Products Cross-Site Request Forgery Vulnerabilityhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191002-cucm-csrfCISCOVendor Advisory