CVE Vulnerabilities

CVE-2018-0266

Direct Request ('Forced Browsing')

Published: Apr 19, 2018 | Modified: Sep 04, 2020
CVSS 3.x
4.3
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVSS 2.x
4 MEDIUM
AV:N/AC:L/Au:S/C:P/I:N/A:N
RedHat/V2
RedHat/V3
Ubuntu

A vulnerability in the web framework of Cisco Unified Communications Manager could allow an authenticated, remote attacker to view sensitive data. The vulnerability is due to insufficient protection of database tables over the web interface. An attacker could exploit this vulnerability by browsing to a specific URL. An exploit could allow the attacker to view configuration parameters. Cisco Bug IDs: CSCvf20218.

Weakness

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

Affected Software

Name Vendor Start Version End Version
Unified_communications_manager Cisco 11.0(1.10000.10) 11.0(1.10000.10)
Unified_communications_manager Cisco 11.5(1.10000.6) 11.5(1.10000.6)
Unified_communications_manager Cisco 10.5(2.10000.5) 10.5(2.10000.5)
Unified_communications_manager Cisco 12.0(1.10000.10) 12.0(1.10000.10)

Potential Mitigations

References