Permissions, Privileges, and Access Controls in Cisco Systems, Inc products - CVE-2023-20266
Published: August 31, 2023
Vulnerability identifier: #VU80178
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-20266
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Cisco Emergency Responder
Cisco Unified Communications Manager
Cisco Unified Communications Manager Session Management Edition
Cisco Unity Connection
Cisco Emergency Responder
Cisco Unified Communications Manager
Cisco Unified Communications Manager Session Management Edition
Cisco Unity Connection
Detailed vulnerability description
The vulnerability allows a remote user to escalate privileges on the system.
The vulnerability exists due to the affected application does not properly restrict the files that are being used for upgrades. A remote administrator can use a specially crafted upgrade file and elevate privileges to root.
How to mitigate CVE-2023-20266
Install updates from vendor's website.