Vulnerabilities > CVE-2016-1373 - Unspecified vulnerability in Cisco Finesse

CVSS 8.6 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

HIGH

Availability impact

NONE

network

low complexity

cisco

nessus

NVD

Published: 2016-05-05

Updated: 2016-12-01

Summary

The gadgets-integration API in Cisco Finesse 8.5(1) through 8.5(5), 8.6(1), 9.0(1), 9.0(2), 9.1(1), 9.1(1)SU1, 9.1(1)SU1.1, 9.1(1)ES1 through 9.1(1)ES5, 10.0(1), 10.0(1)SU1, 10.0(1)SU1.1, 10.5(1), 10.5(1)ES1 through 10.5(1)ES4, 10.5(1)SU1, 10.5(1)SU1.1, 10.5(1)SU1.7, 10.6(1), 10.6(1)SU1, 10.6(1)SU2, and 11.0(1) allows remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted request, aka Bug ID CSCuw86623.

Vulnerable Configurations

Part	Description	Count
Application	Cisco Cisco Finesse 8.5\(5\)_Base Cisco Finesse 10.0\(1\)_Su1.1 Cisco Finesse 10.6\(1\)_Su1 Cisco Finesse 10.5\(1\)_Es2 Cisco Finesse 8.6\(1\)_Base Cisco Finesse 10.0\(1\)_Base Cisco Finesse 10.5\(1\)_Su1.7 Cisco Finesse 10.6\(1\)_Su2 Cisco Finesse 11.0\(1\)_Base Cisco Finesse 9.1\(1\)_Es5 Cisco Finesse 10.5\(1\)_Es1 Cisco Finesse 10.5\(1\)_Su1.1 Cisco Finesse 10.5\(1\)_Es4 Cisco Finesse 10.0\(1\)_Su1 Cisco Finesse 9.1\(1\)_Su1 Cisco Finesse 10.5\(1\)_Es3 Cisco Finesse 8.5\(2\)_Base Cisco Finesse 9.1\(1\)_Es2 Cisco Finesse 10.6\(1\)_Base Cisco Finesse 9.1\(1\)_Su1.1 Cisco Finesse 9.1\(1\)_Base Cisco Finesse 9.0\(1\)_Base Cisco Finesse 8.5\(1\)_Base Cisco Finesse 9.1\(1\)_Es3 Cisco Finesse 10.5\(1\)_Su1 Cisco Finesse 8.5\(4\)_Base Cisco Finesse 10.5\(1\)_Base Cisco Finesse 9.1\(1\)_Es4 Cisco Finesse 8.5\(3\)_Base Cisco Finesse 9.1\(1\)_Es1 Cisco Finesse 9.0\(2\)_Base	31

Nessus

NASL family	CISCO
NASL id	CISCO-SA-20160504-FINESSE.NASL
description	According to its self-reported version, the Cisco Finesse appliance is affected by a server-side request forgery (SSRF) in application programming interface (API) for gadgets integration due to insufficient access controls. An unauthenticated, remote attacker can exploit this, via crafted HTTP request, to perform an HTTP request to an arbitrary host.
last seen	2020-06-01
modified	2020-06-02
plugin id	130066
published	2019-10-21
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/130066
title	Cisco Finesse Appliance HTTP Request Processing Server-Side Request Forgery Vulnerability (cisco-sa-20160504-finesse)

Summary

Vulnerable Configurations

Nessus

References