Information disclosure in Cisco Unified Communications Manager

Published: 2019-01-10 17:08:40
Severity Low
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2018-0474
CVSSv3 5.7 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CWE ID CWE-200
Exploitation vector Network
Public exploit N/A
Vulnerable software Cisco Unified Communications Manager
Vulnerable software versions Cisco Unified Communications Manager 10.5(2.14076.1)
Vendor URL Cisco Systems, Inc

Security Advisory

1) Information disclosure

Description

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information.

The vulnerability exists in the web-based management interface due to the incorrect inclusion of saved passwords in configuration pages. A remote attacker can log in to the Cisco Unified Communications Manager web-based management interface and view the source code for the configuration page to recover passwords and expose those accounts to further attack.

Remediation

The vulnerability has been fixed in the versions 12.0(1.10000.10), 12.0(0.98000.692), 12.0(0.98000.535), 12.0(0.98000.240), 12.0(0.98000.239).

External links

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190109-cucm-creds-d...

Back to List