Cisco Unified Intelligence Center (CUIC) Software Unauthenticated User Account Creation Vulnerability

high Nessus Plugin ID 129818

Synopsis

The remote host is missing a vendor-supplied security patch.

Description

The j_spring_security_switch_user function in Cisco Unified Intelligence Center (CUIC) 8.5.4 through 9.1(1), as used in Unified Contact Center Express 10.0(1) through 11.0(1), allows remote attackers to create user accounts by visiting an unspecified web page, aka Bug IDs CSCuy75027 and CSCuy81653.

Solution

Apply the patch or upgrade to the version recommended in Cisco bug ID CSCuy75027 or CSCuy81653

See Also

http://www.nessus.org/u?9b63093f

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy75027

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy81653

Plugin Details

Severity: High

ID: 129818

File Name: cisco-sa-20161005-ucis2.nasl

Version: 1.3

Type: local

Family: CISCO

Published: 10/11/2019

Updated: 10/17/2019

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2016-6426

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:cisco:unified_intelligence_center

Required KB Items: Settings/ParanoidReport, installed_sw/Cisco Unified Intelligence Center (CUIC)

Exploit Ease: No known exploits are available

Patch Publication Date: 10/5/2016

Vulnerability Publication Date: 10/5/2016

Reference Information

CVE: CVE-2016-6426

BID: 93420

CWE: 20

CISCO-SA: cisco-sa-20161005-ucis2

CISCO-BUG-ID: CSCuy75027, CSCuy81653