The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Unified Contact Center Express

security alert CVE-2014-2180

Cisco Unified Contact Center Express: file upload

Synthesis of the vulnerability

An attacker can upload a malicious file on Cisco Unified Contact Center Express, in order for example to upload a Trojan.
Severity: 2/4.
Creation date: 29/04/2014.
Identifiers: CSCun74133, CVE-2014-2180, VIGILANCE-VUL-14673.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Cisco Unified Contact Center Express product offers a web service.

It can be used to upload a file with Document Management. However, this file can be uploaded in an arbitrary directory on the server.

An attacker can therefore upload a malicious file on Cisco Unified Contact Center Express, in order for example to upload a Trojan.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2014-2102

Cisco Unified Contact Center Express: information disclosure via CCMConfig

Synthesis of the vulnerability

An attacker can read a page of Cisco Unified Contact Center Express, in order to obtain sensitive information.
Severity: 2/4.
Creation date: 26/02/2014.
Identifiers: BID-65797, CSCum95575, CVE-2014-2102, VIGILANCE-VUL-14326.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Cisco Unified Contact Center Express product offers a web service.

However, the CCMConfig page contains sensitive information.

An attacker can therefore read a page of Cisco Unified Contact Center Express, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

security weakness CVE-2014-0746

Cisco Unified Contact Center Express: information disclosure via DRS

Synthesis of the vulnerability

An attacker can read a DRS page of Cisco Unified Contact Center Express, in order to obtain sensitive information.
Severity: 2/4.
Creation date: 26/02/2014.
Identifiers: BID-65802, CSCum95536, CVE-2014-0746, VIGILANCE-VUL-14324.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Cisco Unified Contact Center Express product offers a web service.

However, a DRS (Disaster Recovery System) page contains sensitive information.

An attacker can therefore read a DRS page of Cisco Unified Contact Center Express, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

cybersecurity vulnerability CVE-2014-0745

Cisco Unified Contact Center Express: Cross Site Request Forgery of Serviceability

Synthesis of the vulnerability

An attacker can trigger a Cross Site Request Forgery in the Serviceability page of Cisco Unified Contact Center Express, in order to force the victim to perform operations.
Severity: 2/4.
Creation date: 26/02/2014.
Identifiers: BID-65798, CSCum95502, CVE-2014-0745, VIGILANCE-VUL-14323.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Cisco Unified Contact Center Express product offers a web service.

However, the origin of queries is not checked by the Serviceability page. They can for example originate from an image included in an HTML document.

An attacker can therefore trigger a Cross Site Request Forgery in the Serviceability page of Cisco Unified Contact Center Express, in order to force the victim to perform operations.
Full Vigil@nce bulletin... (Free trial)

threat note CVE-2013-5211

ntp.org: distributed denial of service via monlist

Synthesis of the vulnerability

An attacker can use monlist of ntp.org, in order to trigger a distributed denial of service.
Severity: 2/4.
Creation date: 31/12/2013.
Identifiers: 1532, BID-64692, c04084148, CERTA-2014-AVI-034, CERTFR-2014-AVI-069, CERTFR-2014-AVI-112, CERTFR-2014-AVI-117, CERTFR-2014-AVI-244, CERTFR-2014-AVI-526, CSCtd75033, CSCum44673, CSCum52148, CSCum76937, CSCun84909, CSCur38341, CVE-2013-5211, ESX400-201404001, ESX400-201404402-SG, ESX410-201404001, ESX410-201404402-SG, ESXi400-201404001, ESXi400-201404401-SG, ESXi410-201404001, ESXi410-201404401-SG, ESXi510-201404001, ESXi510-201404101-SG, ESXi510-201404102-SG, ESXi550-201403101-SG, FreeBSD-SA-14:02.ntpd, HPSBUX02960, JSA10613, MBGSA-1401, NetBSD-SA2014-002, openSUSE-SU-2014:0949-1, openSUSE-SU-2014:1149-1, sk98758, SSA:2014-044-02, SSRT101419, VIGILANCE-VUL-14004, VMSA-2014-0002, VMSA-2014-0002.1, VMSA-2014-0002.2, VMSA-2014-0002.4, VMSA-2015-0001.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The ntp.org service implements the "monlist" command, which returns the list of the 600 last clients which connected to the server.

However, the size of the reply is larger than the size of the query. Moreover, public NTP servers request no authentication, and UDP packets can be spoofed.

An attacker can therefore use monlist of ntp.org, in order to trigger a distributed denial of service.
Full Vigil@nce bulletin... (Free trial)

computer threat note CVE-2013-1214

Cisco Unified Contact Center Express: reading scripts

Synthesis of the vulnerability

An unauthenticated attacker can read scripts of Cisco Unified Contact Center Express, in order to obtain sensitive information.
Severity: 2/4.
Creation date: 22/04/2013.
Identifiers: BID-59358, CSCuf77546, CVE-2013-1214, VIGILANCE-VUL-12700.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Cisco Unified Contact Center Express product uses a repository to store scripts.

However, anonymous users can read the content of this repository.

An unauthenticated attacker can therefore read scripts of Cisco Unified Contact Center Express, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer threat CVE-2011-2583

Cisco Unified Contact Center: denial of service

Synthesis of the vulnerability

An attacker can use network data, in order to create a denial of service on Cisco Unified Contact Center.
Severity: 2/4.
Creation date: 09/05/2012.
Identifiers: CSCth33834, CVE-2011-2583, VIGILANCE-VUL-11607.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can use network data, in order to create a denial of service on Cisco Unified Contact Center.
Full Vigil@nce bulletin... (Free trial)

threat note CVE-2011-3315

Cisco Unified Communications Manager, Contact Center Express: file reading

Synthesis of the vulnerability

A remote unauthenticated attacker can use the web interface of Cisco Unified Communications Manager and Cisco Unified Contact Center Express, in order to read a file on the system.
Severity: 2/4.
Creation date: 27/10/2011.
Revision date: 08/11/2011.
Identifiers: BID-50372, CERTA-2011-AVI-601, cisco-sa-20111026-cucm, cisco-sa-20111026-uccx, CSCth09343, CSCts44049, CVE-2011-3315, DDIVRT-2011-35, VIGILANCE-VUL-11100.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Cisco Unified Communications Manager offers a web interface, listening on the port 8080/tcp. The Cisco Unified Contact Center Express offers a web interface, listening on ports 8080/tcp and 9080/tcp.

However, these web sites do not correctly filter queries like "../../", so an attacker can browse the path, in order to read a file located outside the root directory of the product.

A remote unauthenticated attacker can therefore use the web interface of Cisco Unified Communications Manager and Cisco Unified Contact Center Express, in order to read a file on the system.
Full Vigil@nce bulletin... (Free trial)

computer weakness announce CVE-2010-1570 CVE-2010-1571

Cisco Unified Contact Center Express: two vulnerabilities

Synthesis of the vulnerability

An attacker can generate a denial of service or read a file via Cisco Unified Contact Center Express.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 09/06/2010.
Identifiers: 111897, 111998, BID-40680, BID-40684, CERTA-2010-AVI-256, cisco-amb-20100609-uccx, cisco-sa-20100609-uccx, CSCso89629, CSCsx76165, CVE-2010-1570, CVE-2010-1571, VIGILANCE-VUL-9698.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Two vulnerabilities were announced in Cisco Unified Contact Center Express.

When ICD (Integrated Call Distribution) is enabled, the CTI (Computer Telephony Integration) server listens on port 42027/tcp. An attacker can send a malformed CTI message, in order to restart the CTI server. [severity:3/4; BID-40684, CERTA-2010-AVI-256, CSCso89629, CVE-2010-1570]

An attacker can send a Bootstrap message to the port 6295/tcp, in order to read a file from the system. [severity:3/4; BID-40680, CSCsx76165, CVE-2010-1571]

An attacker can therefore generate a denial of service or read a file via Cisco Unified Contact Center Express.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Unified Contact Center Express: