Vulnerability CVE-2022-20788

Vulnerability Name:

CVE-2022-20788 (CCN-224845)

Assigned:

2021-11-02

Published:

2022-04-20

Updated:

2022-05-04

Summary:

A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified CM Session Management Edition (Unified CM SME), and Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information.

CVSS v3 Severity:

6.1 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.3 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

6.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.3 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

5.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-79

Vulnerability Consequences:

Cross-Site Scripting

References:

Source: MITRE
Type: CNA
CVE-2022-20788

Source: XF
Type: UNKNOWN
cisco-unified-cve202220788-xss(224845)

Source: CCN
Type: Cisco Security Advisory cisco-sa-cucm-xss-6MCe4kPF
Cisco Unified Communications Products Cross-Site Scripting Vulnerability

Source: CISCO
Type: Vendor Advisory
20220420 Cisco Unified Communications Products Cross-Site Scripting Vulnerability

Vulnerable Configuration:

Configuration 1:

cpe:/a:cisco:unified_communications_manager:*:*:*:*:session_management:*:*:* (Version >= 14.0 and < 14su1)

OR cpe:/a:cisco:unified_communications_manager:*:*:*:*:session_management:*:*:* (Version >= 12.5(1) and < 12.5(1)su6)

OR cpe:/a:cisco:unified_communications_manager:*:*:*:*:-:*:*:* (Version >= 14.0 and < 14su1)

OR cpe:/a:cisco:unified_communications_manager:*:*:*:*:-:*:*:* (Version >= 12.5(1) and < 12.5(1)su6)

OR cpe:/a:cisco:unity_connection:*:*:*:*:*:*:*:* (Version >= 14.0 and < 14su1)

OR cpe:/a:cisco:unity_connection:*:*:*:*:*:*:*:* (Version >= 12.5(1) and < 12.5(1)su6)

OR cpe:/a:cisco:unified_communications_manager:*:*:*:*:session_management:*:*:* (Version >= 11.5(1) and < 11.5(1)su11)

OR cpe:/a:cisco:unified_communications_manager:*:*:*:*:-:*:*:* (Version >= 11.5(1) and < 11.5(1)su11)

Configuration CCN 1:

cpe:/a:cisco:unified_communications_manager:12.5(1):*:*:*:*:*:*:*

OR cpe:/a:cisco:unity_connection:12.5(1):*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:11.5(1):*:*:*:*:*:*:*

Denotes that component is vulnerable

BACK