Vulnerability Details : CVE-2022-20658

A vulnerability in the web-based management interface of Cisco Unified Contact Center Management Portal (Unified CCMP) and Cisco Unified Contact Center Domain Manager (Unified CCDM) could allow an authenticated, remote attacker to elevate their privileges to Administrator. This vulnerability is due to the lack of server-side validation of user permissions. An attacker could exploit this vulnerability by submitting a crafted HTTP request to a vulnerable system. A successful exploit could allow the attacker to create Administrator accounts. With these accounts, the attacker could access and modify telephony and user resources across all the Unified platforms that are associated to the vulnerable Cisco Unified CCMP. To successfully exploit this vulnerability, an attacker would need valid Advanced User credentials.

Published 2022-01-14 05:15:11

Updated 2022-01-14 18:36:39

Source Cisco Systems, Inc.

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2022-20658

Probability of exploitation activity in the next 30 days: 0.09%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 39 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2022-20658

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
8.5	HIGH	AV:N/AC:L/Au:S/C:C/I:C/A:N	8.0	9.2	[email protected]
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: None
9.6	CRITICAL	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N	3.1	5.8	[email protected]
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Changed Confidentiality: High Integrity: High Availability: None
9.6	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N	3.1	5.8	[email protected]
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Changed Confidentiality: High Integrity: High Availability: None

CWE ids for CVE-2022-20658

CWE-602 Client-Side Enforcement of Server-Side Security

The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.

Assigned by: [email protected] (Secondary)
CWE-669 Incorrect Resource Transfer Between Spheres

The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.

Assigned by: [email protected] (Primary)

References for CVE-2022-20658

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ccmp-priv-esc-JzhTFLm4

Vendor Advisory

Products affected by CVE-2022-20658

Cisco » Unified Contact Center Express » Version: 12.0.1
cpe:2.3:a:cisco:unified_contact_center_express:12.0.1:*:*:*:*:*:*:*
Matching versions
Cisco » Unified Contact Center Express » Version: 12.5.1
cpe:2.3:a:cisco:unified_contact_center_express:12.5.1:*:*:*:*:*:*:*
Matching versions
Cisco » Unified Contact Center Management Portal
Versions up to, including, (<=) 11.6.1
cpe:2.3:a:cisco:unified_contact_center_management_portal:*:*:*:*:*:*:*:*
Matching versions