CVE-2024-20310

Relative Path Traversal (CWE-23)

Published: Apr 3, 2024 / Updated: 7mo ago

010
CVSS 6.1EPSS 0.04%Medium
CVE info copied to clipboard

A vulnerability in the web-based interface of Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against an authenticated user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading an authenticated user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Timeline

CVE Assignment

NVD published the first details for CVE-2024-20310

Apr 3, 2024 at 10:15 AM
First Article

Feedly found the first article mentioning CVE-2024-20310. See article

Apr 3, 2024 at 5:01 PM / GIXtools
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Apr 3, 2024 at 5:02 PM
CVSS

A CVSS base score of 6.1 has been assigned.

Apr 3, 2024 at 5:20 PM / nvd
EPSS

EPSS Score was set to: 0.04% (Percentile: 7.7%)

Apr 5, 2024 at 4:34 PM
Static CVE Timeline Graph

Affected Systems

Cisco/unified_communications_manager_im_and_presence_service
+null more

Attack Patterns

CAPEC-139: Relative Path Traversal
+null more

News

Cross-site scripting in Cisco Unified Communications Manager IM & Presence Service
A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website. Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P): CVSS (Max): 6.1
For information about which Cisco software releases were vulnerable at the time of publication, see the Fixed Software section of this advisory. Cisco Unified CM IM&P Release First Fixed Release 12.5(1) and earlier 12.5 SU8 14 14 SU4 (May 2024) 15 Not vulnerable The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.
Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P): CVSS (Max): 6.1
=========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2024.2052 Cisco Unified Communications Manager IM & Presence Service Cross-Site Scripting Vulnerability 4 April 2024 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) Publisher: Cisco Systems Operating System: Cisco Resolution: Patch/Upgrade CVE Names: CVE-2024-20310 Original Bulletin: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-imps-xss-quWkd9yF Comment: CVSS (Max): 6.1 CVE-2024-20310 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) CVSS Source: Cisco Systems Calculator:
CVE-2024-20310 | Cisco IOS XE Web-based Interface path traversal (cisco-sa-cucm-imps-xss-quWkd9yF)
A vulnerability was found in Cisco IOS XE and Unified Communications Manager IM and Presence Service . It has been declared as critical . Affected by this vulnerability is an unknown functionality of the component Web-based Interface . The manipulation leads to relative path traversal. This vulnerability is known as CVE-2024-20310 . The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.
CVE-2024-20310
A vulnerability in the web-based interface of Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against an authenticated user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading an authenticated user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information.
See 3 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Changed
Confidentiality:Low
Integrity:Low
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI