Privilege escalation in Cisco Unified Customer Voice Portal - CVE-2017-12214
Published: September 21, 2017
Vulnerability identifier: #VU8565
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-12214
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Cisco Unified Customer Voice Portal
Cisco Unified Customer Voice Portal
Detailed vulnerability description
The vulnerability allows a remote authenticated attacker to gain elevated privileges ob the target system.
The weakness exists in the Operations, Administration, Maintenance, and Provisioning (OAMP) credential reset functionality for Cisco Unified Customer Voice Portal (CVP) due to lack of proper input validation. A remote attacker can authenticate to the OAMP and send a specially crafted HTTP request to gain administrator privileges.
The weakness exists in the Operations, Administration, Maintenance, and Provisioning (OAMP) credential reset functionality for Cisco Unified Customer Voice Portal (CVP) due to lack of proper input validation. A remote attacker can authenticate to the OAMP and send a specially crafted HTTP request to gain administrator privileges.
How to mitigate CVE-2017-12214
The vulnerability is addressed in the following versions: 11.5(1)SR0(13), 11.5(1)SR0(12), 11.0(1)SR0(27), 10.5(1)SR0(31).