CVE-2014-3277 : The Administration GUI in the web framework in VOSS in Cisco Unified Communications Domain Manager (CDM) 9.0(.1) and ear

The Administration GUI in the web framework in VOSS in Cisco Unified Communications Domain Manager (CDM) 9.0(.1) and earlier does not properly implement access control, which allows remote authenticated users to obtain sensitive user and group information by leveraging Location Administrator privileges and entering a crafted URL, aka Bug ID CSCum77005.

Published 2014-05-29 17:55:05

Updated 2016-09-07 17:04:55

Source Cisco Systems, Inc.

View at NVD, CVE.org

Vulnerability category: BypassGain privilege

Exploit prediction scoring system (EPSS) score for CVE-2014-3277

Probability of exploitation activity in the next 30 days: 0.16%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 52 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2014-3277

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.0	MEDIUM	AV:N/AC:L/Au:S/C:P/I:N/A:N	8.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None

CWE ids for CVE-2014-3277

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2014-3277

http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3277

Cisco Unified Communications Domain Manager Admin Information Disclosure Vulnerability
Vendor Advisory
http://www.securityfocus.com/bid/67664

Cisco Unified Communications Domain Manager Remote Information Disclosure Vulnerability
Third Party Advisory;VDB Entry
http://tools.cisco.com/security/center/viewAlert.x?alertId=34380

Cisco Unified Communications Domain Manager Admin Information Disclosure Vulnerability
Vendor Advisory
http://www.securitytracker.com/id/1030306

Cisco Unified Communications Domain Manager Multiple Flaws Let Remote Users Obtain Potentially Sensitive Information - SecurityTracker
Third Party Advisory;VDB Entry

CVEs referencing this url

Products affected by CVE-2014-3277

Cisco » Unified Communications Domain Manager
Versions up to, including, (<=) 9.0\(.1\)
cpe:2.3:a:cisco:unified_communications_domain_manager:*:*:*:*:*:*:*:*
Matching versions
Cisco » Unified Communications Domain Manager » Version: 7.4
cpe:2.3:a:cisco:unified_communications_domain_manager:7.4:*:*:*:*:*:*:*
Matching versions
Cisco » Unified Communications Domain Manager » Version: 9.0
cpe:2.3:a:cisco:unified_communications_domain_manager:9.0:*:*:*:*:*:*:*
Matching versions
Cisco » Unified Communications Domain Manager » Version: 8.6
cpe:2.3:a:cisco:unified_communications_domain_manager:8.6:*:*:*:*:*:*:*
Matching versions
Cisco » Unified Communications Domain Manager » Version: 8.6(.2)
cpe:2.3:a:cisco:unified_communications_domain_manager:8.6\(.2\):*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2014-3277

Exploit prediction scoring system (EPSS) score for CVE-2014-3277

CVSS scores for CVE-2014-3277

CWE ids for CVE-2014-3277

References for CVE-2014-3277

Products affected by CVE-2014-3277