CVE-2017-6629
MEDIUMCisco Unity Connection 10.5(2) - Unauthenticated Path Traversal via ImageID Parameter
Title source: llmDescription
A vulnerability in the ImageID parameter of Cisco Unity Connection 10.5(2) could allow an unauthenticated, remote attacker to access files in arbitrary locations on the filesystem of an affected device. The issue is due to improper sanitization of user-supplied input in HTTP POST parameters that describe filenames. An attacker could exploit this vulnerability by using directory traversal techniques to submit a path to a desired file location. Cisco Bug IDs: CSCvd90118.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170503-cuc
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1038400
Broken Link vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/98286
Scores
CVSS v3
5.3
EPSS
0.0251
EPSS Percentile
82.9%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-22
Status
published
Products (2)
cisco/unity_connection
10.5\(2\)
n/a/Cisco Unity Connection
Cisco Unity Connection
Published
May 03, 2017
Tracked Since
Feb 18, 2026