CVE-2013-1225

Cisco Unified Customer Voice Portal (CVP) Software before 9.0.1 ES 11 allows remote attackers to read arbitrary files via a Resource Manager (1) HTTP or (2) HTTPS request containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, aka Bug ID CSCub38366.

CVSS v2.0 7.8 HIGH

7.8^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:C/I:N/A:N

Exploitability : 10.0 / Impact : 6.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130508-cvp	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:cisco:unified_customer_voice_portal::::::::
	cpe:2.3:a:cisco:unified_customer_voice_portal:3.0:sr1::::::
	cpe:2.3:a:cisco:unified_customer_voice_portal:3.0:sr2::::::
	cpe:2.3:a:cisco:unified_customer_voice_portal:3.6\(10\):es01::::::
	cpe:2.3:a:cisco:unified_customer_voice_portal:4.0:::::::*
	cpe:2.3:a:cisco:unified_customer_voice_portal:4.0\(2\):::::::*
	cpe:2.3:a:cisco:unified_customer_voice_portal:4.0\(2\):sr1::::::
	cpe:2.3:a:cisco:unified_customer_voice_portal:4.1:::::::*
	cpe:2.3:a:cisco:unified_customer_voice_portal:7.0:::::::*
	cpe:2.3:a:cisco:unified_customer_voice_portal:7.0\(2\):::::::*
	cpe:2.3:a:cisco:unified_customer_voice_portal:8.0\(1\):::::::*
	cpe:2.3:a:cisco:unified_customer_voice_portal:8.5\(1\):::::::*
	cpe:2.3:a:cisco:unified_customer_voice_portal:9.0:::::::*

History

No history.

Information

Published : 2013-05-09 12:31

Updated : 2013-05-09 12:31

NVD link : CVE-2013-1225

Mitre link : CVE-2013-1225

CVE.ORG link : CVE-2013-1225

JSON object : View

Products Affected

cisco

unified_customer_voice_portal

CWE

CWE-264

Permissions, Privileges, and Access Controls

{"id": "CVE-2013-1225", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 6.9, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2013-05-09T12:31:19.243", "references": [{"url": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130508-cvp", "tags": ["Vendor Advisory"], "source": "ykramarz@cisco.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-264"}]}], "descriptions": [{"lang": "en", "value": "Cisco Unified Customer Voice Portal (CVP) Software before 9.0.1 ES 11 allows remote attackers to read arbitrary files via a Resource Manager (1) HTTP or (2) HTTPS request containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, aka Bug ID CSCub38366."}, {"lang": "es", "value": "Cisco Unified Customer Voice Portal (CVP) Software anterior a v9.0.1 ES v11 permite a atacantes remotos leer ficheros arbitrarios a trav\u00e9s de peticiones Resource Manager (1) HTTP \u00f3 (2) HTTPS que contienen una entidad externa junto con una referencia declarada, relacionada con un asunto XML External Entity (XEE), tambi\u00e9n conocido como Bug ID CSCub38366."}], "lastModified": "2013-05-09T12:31:19.243", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cisco:unified_customer_voice_portal:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B2658963-C679-43C8-9A39-AC84F5EEE343", "versionEndIncluding": "9.0\\(1\\)"}, {"criteria": "cpe:2.3:a:cisco:unified_customer_voice_portal:3.0:sr1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B3FA84E2-8B3B-4C19-B135-535E58DF3847"}, {"criteria": "cpe:2.3:a:cisco:unified_customer_voice_portal:3.0:sr2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "44B2F5F0-DD35-463C-B73C-00B7911BCDD5"}, {"criteria": "cpe:2.3:a:cisco:unified_customer_voice_portal:3.6\\(10\\):es01:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "36E1A7F5-4BA6-4C10-A85B-BB666C457BFC"}, {"criteria": "cpe:2.3:a:cisco:unified_customer_voice_portal:4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9B1D46F0-DEC9-418B-8973-6EC44201B0B8"}, {"criteria": "cpe:2.3:a:cisco:unified_customer_voice_portal:4.0\\(2\\):*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AE565A29-2DC7-4F4F-8E47-CB404E0AA5AF"}, {"criteria": "cpe:2.3:a:cisco:unified_customer_voice_portal:4.0\\(2\\):sr1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C54FFF1F-2991-46EA-90C9-319F47663699"}, {"criteria": "cpe:2.3:a:cisco:unified_customer_voice_portal:4.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "270E39D1-6F71-4C6F-AE91-B0A86057CCCF"}, {"criteria": "cpe:2.3:a:cisco:unified_customer_voice_portal:7.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6796545D-C15C-4ADA-8491-31FC26560809"}, {"criteria": "cpe:2.3:a:cisco:unified_customer_voice_portal:7.0\\(2\\):*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D9E51515-7E70-4199-8C99-D45F21D989B2"}, {"criteria": "cpe:2.3:a:cisco:unified_customer_voice_portal:8.0\\(1\\):*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8805E471-95E0-45DF-A346-15F10EB281B4"}, {"criteria": "cpe:2.3:a:cisco:unified_customer_voice_portal:8.5\\(1\\):*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6435E484-D475-49C6-8649-7BBD3728B08F"}, {"criteria": "cpe:2.3:a:cisco:unified_customer_voice_portal:9.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2D6A6517-6F93-4B4B-91CB-9777EBAFF922"}], "operator": "OR"}]}], "sourceIdentifier": "ykramarz@cisco.com"}