Description
A vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to execute arbitrary code as root, possibly resulting in the complete compromise of a targeted device. To exploit this vulnerability, the attacker must have valid user credentials on the affected device.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected products
- Cisco / Cisco Unity Connection12.5(1) – 12.5(1)
- Cisco / Cisco Unity Connection12.5(1)SU1 – 12.5(1)SU1
- Cisco / Cisco Unity Connection12.5(1)SU2 – 12.5(1)SU2
- Cisco / Cisco Unity Connection12.5(1)SU3 – 12.5(1)SU3
- Cisco / Cisco Unity Connection12.5(1)SU4 – 12.5(1)SU4
- Cisco / Cisco Unity Connection14 – 14
- Cisco / Cisco Unity Connection12.5(1)SU5 – 12.5(1)SU5
- Cisco / Cisco Unity Connection14SU1 – 14SU1
- Cisco / Cisco Unity Connection12.5(1)SU6 – 12.5(1)SU6
- Cisco / Cisco Unity Connection14SU2 – 14SU2
- Cisco / Cisco Unity Connection12.5(1)SU7 – 12.5(1)SU7
- Cisco / Cisco Unity Connection14SU3 – 14SU3
- Cisco / Cisco Unity Connection12.5(1)SU8 – 12.5(1)SU8
- Cisco / Cisco Unity Connection14SU3a – 14SU3a
- Cisco / Cisco Unity Connection12.5(1)SU8a – 12.5(1)SU8a
- Cisco / Cisco Unity Connection15 – 15
- Cisco / Cisco Unity Connection15SU1 – 15SU1
- Cisco / Cisco Unity Connection14SU4 – 14SU4
- Cisco / Cisco Unity Connection12.5(1)SU9 – 12.5(1)SU9
- Cisco / Cisco Unity Connection15SU2 – 15SU2
- Cisco / Cisco Unity Connection15SU3 – 15SU3