#VU16931 Information disclosure in Unified Communications Manager (CallManager) - CVE-2018-0474
Published: January 9, 2019 / Updated: January 10, 2019
Vulnerability identifier: #VU16931
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-0474
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Unified Communications Manager (CallManager)
Unified Communications Manager (CallManager)
Software vendor:
Cisco Systems, Inc
Cisco Systems, Inc
Description
The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information.
The vulnerability exists in the web-based management interface due to the incorrect inclusion of saved passwords in configuration pages. A remote attacker can log in to the Cisco Unified Communications Manager web-based management interface and view the source code for the configuration page to recover passwords and expose those accounts to further attack.
Remediation
The vulnerability has been fixed in the versions 12.0(1.10000.10), 12.0(0.98000.692), 12.0(0.98000.535), 12.0(0.98000.240), 12.0(0.98000.239).