CVE-2026-20230
Gravedad CVSS v3.1:
ALTA
Tipo:
CWE-918
Falsificación de solicitud en servidor (SSRF)
Fecha de publicación:
03/06/2026
Última modificación:
01/07/2026
Descripción
*** Pendiente de traducción *** A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to conduct server-side request forgery (SSRF) attacks through an affected device.<br />
<br />
This vulnerability is due to improper input validation for specific HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to write files to the underlying operating system that could be used later to elevate to root.<br />
Note: Cisco has assigned this security advisory a Security Impact Rating (SIR) of Critical rather than High as the score indicates. The reason is that exploitation of this vulnerability could result in an attacker elevating privileges to root.<br />
Note: To exploit this vulnerability, the WebDialer service must be enabled. WebDialer is disabled by default.
Impacto
Puntuación base 3.x
8.60
Gravedad 3.x
ALTA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:a:cisco:unified_communications_manager:*:*:*:*:-:*:*:* | 14.0 (incluyendo) | 14su6 (excluyendo) |
| cpe:2.3:a:cisco:unified_communications_manager:*:*:*:*:session_management:*:*:* | 14.0 (incluyendo) | 14su6 (excluyendo) |
| cpe:2.3:a:cisco:unified_communications_manager:*:*:*:*:-:*:*:* | 15.0 (incluyendo) | 15su4a (incluyendo) |
| cpe:2.3:a:cisco:unified_communications_manager:*:*:*:*:session_management:*:*:* | 15.0 (incluyendo) | 15su4a (incluyendo) |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página



