Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-20266

A vulnerability in Cisco Emergency Responder, Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unity Connection could allow an authenticated, remote attacker to elevate privileges to root on an affected device. This vulnerability exists because the application does not properly restrict the files that are being used for upgrades. An attacker could exploit this vulnerability by providing a crafted upgrade file. A successful exploit could allow the attacker to elevate privileges to root. To exploit this vulnerability, the attacker must have valid platform administrator credentials on an affected device.

Published

2023-08-30T17:15:08.357

Last Modified

2024-11-21T07:41:02.020

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

Weaknesses

Type: Secondary
CWE-347
Type: Primary
CWE-269

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	cisco	emergency_responder	12.5.1su4	Yes
Application	cisco	emergency_responder	12.5.1su8a	Yes
Application	cisco	emergency_responder	14su3	Yes
Application	cisco	unified_communications_manager	12.5.1su8	Yes
Application	cisco	unified_communications_manager	12.5.1su8	Yes
Application	cisco	unity_connection	12.5\(1\)su6	Yes
Application	cisco	unity_connection	12.5\(1\)su7	Yes
Application	cisco	unity_connection	12.5\(1\)su8	Yes
Application	cisco	unity_connection	14su2	Yes
Application	cisco	unity_connection	14su3	Yes

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-priv-esc-D8Bky5eg Vendor Advisory ([email protected])
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-priv-esc-D8Bky5eg Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)