CVE-2021-1399

EUVD-2021-6866

08.04.2021, 04:15

A vulnerability in the Self Care Portal of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to modify data on an affected system without proper authorization. The vulnerability is due to insufficient validation of user-supplied data to the Self Care Portal. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected system. A successful exploit could allow the attacker to modify information without proper authorization.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.3 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
cisco	CNA	4.3 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 21%

Affected Products (NVD)

Vendor	Product	Version
cisco	unified_communications_manager	10.5\(2\) ≤ 𝑥 < 12.5\(1\)su4
cisco	unified_communications_manager	10.5\(2\) ≤ 𝑥 < 12.5\(1\)su4

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-302 - Authentication Bypass by Assumed-Immutable Data
The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.

References

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-selfcare-VRWWWHgE