Main Vulnerability Database SB2020010917

SB2020010917 - Privilege escalation in Cisco Unified Customer Voice Portal

Published: January 9, 2020

Security Bulletin ID SB2020010917

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-16017)

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H/E:U/U:Green

The vulnerability allows a remote user to execute Insecure Direct Object Reference actions on specific pages within the OAMP application.

The vulnerability exists due to insufficient input validation on specific pages in the Operations, Administration, Maintenance and Provisioning (OAMP) OpsConsole Server. A remote administrator can send a specially crafted HTTP request and modify certain configuration details of resources outside of their defined scope, which could result in a denial of service (DoS) condition.

Remediation

Install update from vendor's website.

References

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200108-cvp-direct-obj-ref