CVE-2017-6629

Published: May 3, 2017Modified: May 13, 2026

5.3

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

A vulnerability in the ImageID parameter of Cisco Unity Connection 10.5(2) could allow an unauthenticated, remote attacker to access files in arbitrary locations on the filesystem of an affected device. The issue is due to improper sanitization of user-supplied input in HTTP POST parameters that describe filenames. An attacker could exploit this vulnerability by using directory traversal techniques to submit a path to a desired file location. Cisco Bug IDs: CSCvd90118.

Affected (1)

Products: Cisco: Unity Connection

1 product

Unity Connection

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Cisco Unity Connection	Version 10.5(2)

Related CWEs

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References (6)

http://www.securityfocus.com/bid/98286

Source: psirt@cisco.com

Broken Link

http://www.securitytracker.com/id/1038400

Source: psirt@cisco.com

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170503-cuc

Source: psirt@cisco.com

Vendor Advisory

http://www.securityfocus.com/bid/98286

Source: af854a3a-2127-422b-91ae-364da2661108

Broken Link

http://www.securitytracker.com/id/1038400

Source: af854a3a-2127-422b-91ae-364da2661108

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170503-cuc

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.