Cisco Unified Communications Manager vulnerabilities

CVE-2017-3874 [MEDIUM] CWE-79 CVE-2017-3874: A vulnerability in the web framework of Cisco Unified Communications Manager (CallManager) could all A vulnerability in the web framework of Cisco Unified Communications Manager (CallManager) could allow an authenticated, remote attacker to perform a cross-site scripting (XSS) attack. More Information: CSCvb70033. Known Affected Releases: 11.5(1.11007.2). Known Fixed Releases: 12.0(0.98000.507) 11.0(1.23900.5) 11.0(1.23900.3) 10.5(2.15900.2).

CVE-2017-3877 [MEDIUM] CWE-352 CVE-2017-3877: A vulnerability in the web framework of Cisco Unified Communications Manager (CallManager) could all A vulnerability in the web framework of Cisco Unified Communications Manager (CallManager) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against a user of the web interface of the affected software. More Information: CSCvb70021. Known Affected Releases: 11.5(1.11007.2).

CVE-2017-3836 [MEDIUM] CWE-200 CVE-2017-3836: A vulnerability in the web framework Cisco Unified Communications Manager could allow an unauthentic A vulnerability in the web framework Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to view sensitive data. More Information: CSCvb61689. Known Affected Releases: 11.5(1.11007.2). Known Fixed Releases: 12.0(0.98000.162) 12.0(0.98000.178) 12.0(0.98000.383) 12.0(0.98000.488) 12.0(0.98000.536) 12.0(0.98000.6) 12.0(0.

CVE-2017-3833 [MEDIUM] CWE-79 CVE-2017-3833: A vulnerability in the web framework of Cisco Unified Communications Manager could allow an unauthen A vulnerability in the web framework of Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface of the affected software. More Information: CSCvb95951. Known Affected Releases: 12.0(0.99999.2). Known Fixed Releases: 11.0(1.23064.1) 11.5(1.120

CVE-2017-3829 [MEDIUM] CWE-79 CVE-2017-3829: A vulnerability in the web-based management interface of Cisco Unified Communications Manager Switch A vulnerability in the web-based management interface of Cisco Unified Communications Manager Switches could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. More Information: CSCvc30999. Known Affected Releases: 12.0(0.98000.280). Known

CVE-2017-3828 [MEDIUM] CWE-79 CVE-2017-3828: A vulnerability in the web-based management interface of Cisco Unified Communications Manager Switch A vulnerability in the web-based management interface of Cisco Unified Communications Manager Switches could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. More Information: CSCvb98777. Known Affected Releases: 11.0(1.10000.10) 11.5(1.1

CVE-2017-3821 [MEDIUM] CWE-79 CVE-2017-3821: A vulnerability in the serviceability page of Cisco Unified Communications Manager could allow an un A vulnerability in the serviceability page of Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to conduct reflected cross-site scripting (XSS) attacks. More Information: CSCvc49348. Known Affected Releases: 10.5(2.14076.1). Known Fixed Releases: 12.0(0.98000.209) 12.0(0.98000.478) 12.0(0.98000.609).

CVE-2017-3798 [MEDIUM] CWE-79 CVE-2017-3798: A cross-site scripting (XSS) filter bypass vulnerability in the web-based management interface of Ci A cross-site scripting (XSS) filter bypass vulnerability in the web-based management interface of Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to mount XSS attacks against a user of an affected device. More Information: CSCvb97237. Known Affected Releases: 11.0(1.10000.10) 11.5(1.10000.6). Known Fixed Releases: 1

CVE-2017-3802 [MEDIUM] CWE-79 CVE-2017-3802: A vulnerability in Cisco Unified Communications Manager could allow an unauthenticated, remote attac A vulnerability in Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface of an affected system. More Information: CSCvc20679. Known Affected Releases: 12.0(0.99000.9). Known Fixed Releases: 12.0(0.98000.176) 12.0(0.98000.414) 12.0(0.98000.5

CVE-2016-9210 [HIGH] CWE-22 CVE-2016-9210: A vulnerability in the Cisco Unified Reporting upload tool accessed via the Cisco Unified Communicat A vulnerability in the Cisco Unified Reporting upload tool accessed via the Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to modify arbitrary files on the file system. More Information: CSCvb61698. Known Affected Releases: 11.5(1.11007.2). Known Fixed Releases: 12.0(0.98000.168) 12.0(0.98000.178) 12.0(0.98000.399) 1

CVE-2016-9206 [MEDIUM] CWE-79 CVE-2016-9206: A vulnerability in the ccmadmin page of Cisco Unified Communications Manager (CUCM) could allow an u A vulnerability in the ccmadmin page of Cisco Unified Communications Manager (CUCM) could allow an unauthenticated, remote attacker to conduct reflected cross-site scripting (XSS) attacks. More Information: CSCvb64641. Known Affected Releases: 11.5(1.10000.6) 11.5(1.11007.2). Known Fixed Releases: 11.5(1.12900.7) 11.5(1.12900.8) 12.0(0.98000.155) 12.0(

CVE-2016-6472 [MEDIUM] CWE-79 CVE-2016-6472: A vulnerability in several parameters of the ccmivr page of Cisco Unified Communication Manager (Cal A vulnerability in several parameters of the ccmivr page of Cisco Unified Communication Manager (CallManager) could allow an unauthenticated, remote attacker to launch a cross-site scripting (XSS) attack against a user of the web interface on the affected system. More Information: CSCvb37121. Known Affected Releases: 11.5(1.2). Known Fixed Releases: 11

CVE-2016-6440 [MEDIUM] CWE-20 CVE-2016-6440: The Cisco Unified Communications Manager (CUCM) may be vulnerable to data that can be displayed insi The Cisco Unified Communications Manager (CUCM) may be vulnerable to data that can be displayed inside an iframe within a web page, which in turn could lead to a clickjacking attack. More Information: CSCuz64683 CSCuz64698. Known Affected Releases: 11.0(1.10000.10), 11.5(1.10000.6), 11.5(0.99838.4). Known Fixed Releases: 11.0(1.22048.1), 11.5(0.98000.1

CVE-2016-6364 [HIGH] CWE-200 CVE-2016-6364: The User Data Services (UDS) API implementation in Cisco Unified Communications Manager 11.5 allows The User Data Services (UDS) API implementation in Cisco Unified Communications Manager 11.5 allows remote attackers to bypass intended access restrictions and obtain sensitive information via unspecified API calls, aka Bug ID CSCux67855.

CVE-2015-6360 [HIGH] CWE-119 CVE-2015-6360: The encryption-processing feature in Cisco libSRTP before 1.5.3 allows remote attackers to cause a d The encryption-processing feature in Cisco libSRTP before 1.5.3 allows remote attackers to cause a denial of service via crafted fields in SRTP packets, aka Bug ID CSCux00686.

CVE-2015-6433 [MEDIUM] CWE-89 CVE-2015-6433: SQL injection vulnerability in Cisco Unified Communications Manager 11.0(0.98000.225) allows remote SQL injection vulnerability in Cisco Unified Communications Manager 11.0(0.98000.225) allows remote authenticated users to execute arbitrary SQL commands via a crafted URL, aka Bug ID CSCut66767.

CVE-2015-6425 [MEDIUM] CWE-399 CVE-2015-6425: The WebApplications Identity Management subsystem in Cisco Unified Communications Manager 10.5(0.980 The WebApplications Identity Management subsystem in Cisco Unified Communications Manager 10.5(0.98000.88) allows remote attackers to cause a denial of service (subsystem outage) via invalid session tokens, aka Bug ID CSCul83786.

CVE-2015-4206 [MEDIUM] CWE-79 CVE-2015-4206: Cisco Unified Communications Manager (UCM) 8.0 through 8.6 allows remote attackers to bypass an XSS Cisco Unified Communications Manager (UCM) 8.0 through 8.6 allows remote attackers to bypass an XSS protection mechanism via a crafted parameter, aka Bug ID CSCuu15266.

CVE-2015-4295 [MEDIUM] CWE-200 CVE-2015-4295: The Prime Collaboration Deployment component in Cisco Unified Communications Manager 10.5(3.10000.9) The Prime Collaboration Deployment component in Cisco Unified Communications Manager 10.5(3.10000.9) allows remote authenticated users to discover root credentials via a direct request to an unspecified URL, aka Bug ID CSCuv21819.

CVE-2015-4269 [MEDIUM] CWE-399 CVE-2015-4269: The Tomcat throttling feature in Cisco Unified Communications Manager 10.5(1.99995.9) allows remote The Tomcat throttling feature in Cisco Unified Communications Manager 10.5(1.99995.9) allows remote authenticated users to cause a denial of service (management outage) by sending many requests, aka Bug ID CSCuu99709.