CVE-2024-20272

Severity CVSS v4.0:

Pending analysis

Type:

CWE-434 Unrestricted Upload of File with Dangerous Type

Publication date:

17/01/2024

Last modified:

02/06/2025

Description

A vulnerability in the web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system and execute commands on the underlying operating system. This vulnerability is due to a lack of authentication in a specific API and improper validation of user-supplied data. An attacker could exploit this vulnerability by uploading arbitrary files to an affected system. A successful exploit could allow the attacker to store malicious files on the system, execute arbitrary commands on the operating system, and elevate privileges to root.

Impact

Vector 3.x

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS v3.1 Severity and Metrics:

Base Score: 7.30 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): Low
Integrity (I): Low
Availability (A): Low

Base Score 3.x

7.30

Severity 3.x

HIGH

Vulnerable products and versions

CPE	From	Up to
cpe:2.3:a:cisco:unity_connection::::::::		12.5.1.19017-4 (excluding)
cpe:2.3:a:cisco:unity_connection::::::::	14.0 (including)	14.0.1.14006-5 (excluding)

To consult the complete list of CPE names with products and versions, see this page

CVE-2024-20272

Description

Impact

Vulnerable products and versions

References to Advisories, Solutions, and Tools