Finesse
CVE-2021-1246
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
Cisco Finesse, Cisco Virtualized Voice Browser, and Cisco Unified CVP OpenSocial Gadget Editor Unauthenticated Access Vulnerability
A vulnerability in the web management interface of Cisco Finesse, Cisco Virtualized Voice Browser, and Cisco Unified CVP could allow an unauthenticated, remote attacker to access the OpenSocial Gadget Editor without providing valid user credentials. The vulnerability is due to missing authentication for a specific section of the web-based management interface. An attacker could exploit this vulnerability by accessing a crafted URL. A successful exploit could allow the attacker to obtain access to a section of the interface, which they could use to obtain potentially confidential information and create arbitrary XML files. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
AnalysisAI
Cisco Finesse, Cisco Virtualized Voice Browser, and Cisco Unified CVP OpenSocial Gadget Editor Unauthenticated Access Vulnerability A vulnerability in the web management interface of Cisco Finesse,. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Missing Authentication for Critical Function (CWE-306), which allows attackers to access critical functionality without authentication. Cisco Finesse, Cisco Virtualized Voice Browser, and Cisco Unified CVP OpenSocial Gadget Editor Unauthenticated Access Vulnerability A vulnerability in the web management interface of Cisco Finesse, Cisco Virtualized Voice Browser, and Cisco Unified CVP could allow an unauthenticated, remote attacker to access the OpenSocial Gadget Editor without providing valid user credentials. The vulnerability is due to missing authentication for a specific section of the web-based management interface. An attacker could exploit this vulnerability by accessing a crafted URL. A successful exploit could allow the attacker to obtain access to a section of the interface, which they could use to obtain potentially confidential information and create arbitrary XML files. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. Affected products include: Cisco Finesse.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Require authentication for all sensitive operations, implement defense in depth.
A vulnerability in the upgrade mechanism of Cisco collaboration products based on the Cisco Voice Operating System softw
Multiple vulnerabilities in the web-based management interface of Cisco Finesse could allow an unauthenticated, remote a
Multiple vulnerabilities in the web-based management interface of Cisco Finesse could allow an unauthenticated, remote a
A vulnerability in the web-based management interface of Cisco Finesse could allow an unauthenticated, remote attacker t
A vulnerability in Cisco Finesse Agent and Supervisor Desktop Software could allow an unauthenticated, remote attacker t
The gadgets-integration API in Cisco Finesse 8.5(1) through 8.5(5), 8.6(1), 9.0(1), 9.0(2), 9.1(1), 9.1(1)SU1, 9.1(1)SU1
Cisco Finesse 10.5(1) allows remote authenticated users to obtain sensitive information or cause a denial of service (CP
A vulnerability in the nginx configurations that are provided as part of the VPN-less reverse proxy for Cisco Finesse co
A vulnerability in Cisco Finesse could allow an unauthenticated, remote attacker to bypass access controls and conduct a
A vulnerability in the web-based management interface of Cisco Unified Contact Center Express could allow an unauthentic
A vulnerability in the web-based management interface of Cisco Finesse 10.6(1) and 11.5(1) could allow an unauthenticate
A vulnerability in the web-based management interface of Cisco Finesse could allow an unauthenticated, remote attacker t
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today