CVE-2019-1915

Published: Oct 2, 2019Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

A vulnerability in the web-based interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition (SME), Cisco Unified Communications Manager IM and Presence (Unified CM IM&P) Service, and Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections by the affected software. An attacker could exploit this vulnerability by persuading a targeted user to click a malicious link. A successful exploit could allow the attacker to send arbitrary requests that could change the password of a targeted user. An attacker could then take unauthorized actions on behalf of the targeted user.

Affected (9)

Products: Cisco: Unified Communications Manager, Unity Connection, Unified Communications Manager Im And Presence Service

Cisco

3 products

Unified Communications Manager

Unity Connection

Unified Communications Manager Im And Presence Service

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Cisco Unified Communications Manager	Version 10.5(2.10000.5)
Cisco Unified Communications Manager	Version 11.5(1.10000.6)
Cisco Unified Communications Manager	Version 12.0(1.10000.10)
Cisco Unified Communications Manager	Version 12.5(1.10000.22)