CVE-2022-20658
Published on: 01/14/2022 12:00:00 AM UTC
Last Modified on: 01/14/2022 06:36:00 PM UTC
CVE-2022-20658 - advisory for cisco-sa-ccmp-priv-esc-JzhTFLm4
Source: Mitre Source: NIST CVE.ORG Print: PDF
Certain versions of Unified Contact Center Express from Cisco contain the following vulnerability:
A vulnerability in the web-based management interface of Cisco Unified Contact Center Management Portal (Unified CCMP) and Cisco Unified Contact Center Domain Manager (Unified CCDM) could allow an authenticated, remote attacker to elevate their privileges to Administrator. This vulnerability is due to the lack of server-side validation of user permissions. An attacker could exploit this vulnerability by submitting a crafted HTTP request to a vulnerable system. A successful exploit could allow the attacker to create Administrator accounts. With these accounts, the attacker could access and modify telephony and user resources across all the Unified platforms that are associated to the vulnerable Cisco Unified CCMP. To successfully exploit this vulnerability, an attacker would need valid Advanced User credentials.
- CVE-2022-20658 has been assigned by
[email protected] to track the vulnerability - currently rated as CRITICAL severity.
- The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
- Affected Vendor/Software:
Cisco - Cisco Unified Contact Center Domain Manager version n/a
CVSS3 Score: 9.6 - CRITICAL
Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
---|---|---|---|
NETWORK | LOW | LOW | NONE |
Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
CHANGED | HIGH | HIGH | NONE |
CVSS2 Score: 8.5 - HIGH
Access Vector ⓘ |
Access Complexity |
Authentication |
---|---|---|
NETWORK | LOW | SINGLE |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
COMPLETE | COMPLETE | NONE |
CVE References
Description | Tags ⓘ | Link |
---|---|---|
Cisco Unified Contact Center Management Portal and Unified Contact Center Domain Manager Privilege Escalation Vulnerability | tools.cisco.com text/html |
![]() |
Known Affected Configurations (CPE V2.3)
Type | Vendor | Product | Version | Update | Edition | Language |
---|---|---|---|---|---|---|
Application | Cisco | Unified Contact Center Express | 12.0.1 | All | All | All |
Application | Cisco | Unified Contact Center Express | 12.5.1 | All | All | All |
Application | Cisco | Unified Contact Center Management Portal | All | All | All | All |
- cpe:2.3:a:cisco:unified_contact_center_express:12.0.1:*:*:*:*:*:*:*:
- cpe:2.3:a:cisco:unified_contact_center_express:12.5.1:*:*:*:*:*:*:*:
- cpe:2.3:a:cisco:unified_contact_center_management_portal:*:*:*:*:*:*:*:*:
Social Mentions
Source | Title | Posted (UTC) |
---|---|---|
![]() |
Cisco Patches Critical Vulnerability in Contact Center Products | S... (Securityweek) Tracked as CVE-2022-20658 (C… twitter.com/i/web/status/1… | 2022-01-13 14:03:18 |
![]() |
『allow an authenticated, remote attacker to elevate their privileges to Administrator.』 CVE-2022-20658 Cisco Unifi… twitter.com/i/web/status/1… | 2022-01-14 04:55:39 |
![]() |
CVE-2022-20658 : A vulnerability in the web-based management interface of Cisco Unified Contact Center Management… twitter.com/i/web/status/1… | 2022-01-14 05:11:00 |
![]() |
Cisco releases patch for a new critical #vulnerability (CVE-2022-20658 / CVSS 9.6) affecting the Unified CCMP and U… twitter.com/i/web/status/1… | 2022-01-14 07:29:20 |
![]() |
"Cisco releases patch for a new critical #vulnerability (CVE-2022-20658 / CVSS 9.6) affecting the Unified CCMP and… twitter.com/i/web/status/1… | 2022-01-14 07:32:51 |
![]() |
CVE-2022-20658 | 2022-01-14 05:38:23 |
![]() |
Not seeing fixed version of software in Software and Downloads center | 2022-01-19 14:38:32 |