CVE-2017-12214
HIGHCisco Unified Customer Voice Portal 10.5, 11.0, 11.5 - Authenticated Privilege Escalation via OAMP Credential Reset
Title source: llmDescription
A vulnerability in the Operations, Administration, Maintenance, and Provisioning (OAMP) credential reset functionality for Cisco Unified Customer Voice Portal (CVP) could allow an authenticated, remote attacker to gain elevated privileges. The vulnerability is due to a lack of proper input validation. An attacker could exploit this vulnerability by authenticating to the OAMP and sending a crafted HTTP request. A successful exploit could allow the attacker to gain administrator privileges. The attacker must successfully authenticate to the system to exploit this vulnerability. This vulnerability affects Cisco Unified Customer Voice Portal (CVP) running software release 10.5, 11.0, or 11.5. Cisco Bug IDs: CSCve92752.
References (3)
Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1039411
Vendor Advisory x_refsource_confirm
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170920-cvp
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/100931
Scores
CVSS v3
8.8
EPSS
0.0218
EPSS Percentile
80.2%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-20
CWE-264
Status
published
Products (4)
cisco/unified_customer_voice_portal
10.5
cisco/unified_customer_voice_portal
11.0
cisco/unified_customer_voice_portal
11.5
n/a/Cisco Unified Customer Voice Portal
Cisco Unified Customer Voice Portal
Published
Sep 21, 2017
Tracked Since
Feb 18, 2026