The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Cisco Unified CM

computer vulnerability alert CVE-2017-12357

Cisco Unified Communications Manager: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Cisco Unified Communications Manager, in order to run JavaScript code in the context of the web site.
Impacted products: Cisco CUCM.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 30/11/2017.
Identifiers: cisco-sa-20171129-cucm, CSCvf79346, CVE-2017-12357, VIGILANCE-VUL-24576.

Description of the vulnerability

The Cisco Unified Communications Manager product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Cisco Unified Communications Manager, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2017-12302

Cisco Unified Communications Manager: SQL injection

Synthesis of the vulnerability

An attacker can use a SQL injection of Cisco Unified Communications Manager, in order to read or alter data.
Impacted products: Cisco CUCM.
Severity: 2/4.
Consequences: data reading, data creation/edition, data deletion.
Provenance: internet client.
Creation date: 16/11/2017.
Identifiers: cisco-sa-20171115-ucm, CSCvf36682, CVE-2017-12302, VIGILANCE-VUL-24473.

Description of the vulnerability

The Cisco Unified Communications Manager product uses a database.

However, user's data are directly inserted in a SQL query.

An attacker can therefore use a SQL injection of Cisco Unified Communications Manager, in order to read or alter data.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2017-12258

Cisco Unified Communications Manager: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Cisco Unified Communications Manager, in order to run JavaScript code in the context of the web site.
Impacted products: Cisco CUCM.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 05/10/2017.
Identifiers: CERTFR-2017-AVI-333, cisco-sa-20171004-ucm, CSCve60993, CVE-2017-12258, VIGILANCE-VUL-24030.

Description of the vulnerability

An attacker can trigger a Cross Site Scripting of Cisco Unified Communications Manager, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2017-6791

Cisco Unified Communications Manager: denial of service via TVS

Synthesis of the vulnerability

An attacker can generate a fatal error via TVS of Cisco Unified Communications Manager, in order to trigger a denial of service.
Impacted products: Cisco CUCM.
Severity: 2/4.
Consequences: denial of service on server, denial of service on service, denial of service on client.
Provenance: document.
Creation date: 07/09/2017.
Identifiers: cisco-sa-20170906-ucm, CSCux21905, CVE-2017-6791, VIGILANCE-VUL-23761.

Description of the vulnerability

An attacker can generate a fatal error via TVS of Cisco Unified Communications Manager, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2017-6785

Cisco Unified Communications Manager: privilege escalation

Synthesis of the vulnerability

An attacker can bypass restrictions of Cisco Unified Communications Manager, in order to escalate his privileges.
Impacted products: Cisco CUCM.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: intranet client.
Creation date: 17/08/2017.
Identifiers: CERTFR-2017-AVI-269, cisco-sa-20170816-ucm, CSCve27331, CVE-2017-6785, VIGILANCE-VUL-23551.

Description of the vulnerability

An attacker can bypass restrictions of Cisco Unified Communications Manager, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2017-6758

Cisco Unified Communications Manager: directory traversal

Synthesis of the vulnerability

An attacker can traverse directories of Cisco Unified Communications Manager, in order to read a file outside the service root path.
Impacted products: Cisco CUCM.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 03/08/2017.
Identifiers: cisco-sa-20170802-ucm1, CSCve13796, CVE-2017-6758, VIGILANCE-VUL-23446.

Description of the vulnerability

An attacker can traverse directories of Cisco Unified Communications Manager, in order to read a file outside the service root path.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2017-6757

Cisco Unified Communications Manager: SQL injection

Synthesis of the vulnerability

An attacker can use a SQL injection of Cisco Unified Communications Manager, in order to read or alter data.
Impacted products: Cisco CUCM.
Severity: 2/4.
Consequences: data reading, data creation/edition, data deletion.
Provenance: internet client.
Creation date: 03/08/2017.
Identifiers: cisco-sa-20170802-ucm, CSCve13786, CVE-2017-6757, VIGILANCE-VUL-23445.

Description of the vulnerability

The Cisco Unified Communications Manager product uses a database.

However, user's data are directly inserted in a SQL query.

An attacker can therefore use a SQL injection of Cisco Unified Communications Manager, in order to read or alter data.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2017-6654

Cisco Unified Communications Manager: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Cisco Unified Communications Manager, in order to run JavaScript code in the context of the web site.
Impacted products: Cisco CUCM.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 18/05/2017.
Identifiers: CERTFR-2017-AVI-160, cisco-sa-20170517-ucm, CSCvc06608, CVE-2017-6654, VIGILANCE-VUL-22761.

Description of the vulnerability

The Cisco Unified Communications Manager product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Cisco Unified Communications Manager, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2017-3808

Cisco Unified Communications Manager: denial of service via Session Initiation Protocol

Synthesis of the vulnerability

An attacker can start many Session Initiation Protocol connections to Cisco Unified Communications Manager, in order to trigger a denial of service.
Impacted products: Cisco CUCM.
Severity: 3/4.
Consequences: denial of service on server, denial of service on service, denial of service on client.
Provenance: internet client.
Creation date: 20/04/2017.
Identifiers: CERTFR-2017-AVI-127, cisco-sa-20170419-ucm, CVE-2017-3808, VIGILANCE-VUL-22507.

Description of the vulnerability

The Cisco Unified Communications Manager product includes an implementation of the Session Initiation Protocol.

However, the traffic priority management mishandles SIP.

An attacker can therefore start many Session Initiation Protocol connections to Cisco Unified Communications Manager, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2017-3888

Cisco Unified Communications Manager: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Cisco Unified Communications Manager, in order to run JavaScript code in the context of the web site.
Impacted products: Cisco CUCM.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 06/04/2017.
Identifiers: cisco-sa-20170405-ucm1, CSCvc83712, CVE-2017-3888, VIGILANCE-VUL-22360.

Description of the vulnerability

The Cisco Unified Communications Manager product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Cisco Unified Communications Manager, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Cisco Unified CM: