Plattform
cisco
Komponente
cisco-finesse
Behoben in
12.6.1
12.6.1
12.6.1
12.6.1
12.6.1
12.6.1
12.6.1
12.6.1
12.6.1
12.6.1
12.6.1
12.6.1
12.6.1
CVE-2021-1246 describes an unauthenticated access vulnerability in Cisco Finesse, Cisco Virtualized Voice Browser, and Cisco Unified CVP OpenSocial Gadget Editor. This flaw allows a remote attacker to bypass authentication and access the OpenSocial Gadget Editor without valid credentials. The vulnerability impacts versions up to and including 12.6(2)_ET17, and a fix is available from Cisco.
Successful exploitation of CVE-2021-1246 allows an attacker to directly access the OpenSocial Gadget Editor within the affected Cisco products. This could enable unauthorized modification of gadget configurations, potentially leading to the injection of malicious code or the alteration of system behavior. While the immediate impact might be limited to the gadget editor itself, a compromised editor could be leveraged for further attacks, such as phishing campaigns targeting users of the system or gaining a foothold for broader network reconnaissance. The lack of authentication makes this vulnerability particularly concerning, as it requires no prior user credentials to exploit.
CVE-2021-1246 was publicly disclosed on January 13, 2021. While no active exploitation campaigns have been definitively confirmed, the unauthenticated nature of the vulnerability makes it a potential target for opportunistic attackers. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are available, increasing the likelihood of exploitation.
Organizations heavily reliant on Cisco Finesse for contact center operations are particularly at risk. Environments with legacy configurations or those that have not implemented robust access controls are also more vulnerable. Shared hosting environments where multiple tenants share the same infrastructure could also be affected if one tenant compromises the Finesse instance.
• cisco / server:
# Check for vulnerable versions in Cisco Finesse configuration
# (Requires access to Finesse admin interface or configuration files)
# Example: grep 'version' /opt/cisco/finnesse/version.txt• generic web:
# Check for exposure of the OpenSocial Gadget Editor endpoint
curl -I https://<finnesse_ip>/gadgeteditor
# Look for a 200 OK response without authentication challenges• generic web:
# Review access logs for requests to the gadget editor endpoint
# from unexpected IP addresses or user agents
grep '/gadgeteditor' /var/log/apache2/access.logdisclosure
Exploit-Status
EPSS
0.52% (67% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2021-1246 is to upgrade to a fixed version of Cisco Finesse, Virtualized Voice Browser, or Unified CVP as provided by Cisco. Until an upgrade is possible, implement a Web Application Firewall (WAF) or proxy to filter requests to the vulnerable OpenSocial Gadget Editor endpoint. Specifically, block access to the affected URL path. Monitor access logs for suspicious activity, particularly requests originating from unknown or untrusted sources. Consider implementing stricter access controls and authentication mechanisms for the web management interface, even if they don't directly address this specific vulnerability, to reduce the overall attack surface. After upgrade, confirm by verifying that the OpenSocial Gadget Editor requires authentication.
Cisco hat Software-Updates veröffentlicht, die diese Schwachstelle beheben. Aktualisieren Sie Cisco Finesse, Cisco Virtualized Voice Browser und Cisco Unified CVP auf die neueste verfügbare Version, die vom Anbieter bereitgestellt wird. Es gibt keine Workarounds, die diese Schwachstelle beheben.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2021-1246 is a medium severity vulnerability affecting Cisco Finesse versions up to 12.6(2)_ET17. It allows an unauthenticated attacker to access the OpenSocial Gadget Editor without credentials.
You are affected if you are running Cisco Finesse, Virtualized Voice Browser, or Unified CVP versions prior to the fixed version provided by Cisco. Check your version against the affected range.
Upgrade to a fixed version of Cisco Finesse as provided by Cisco. As a temporary workaround, implement a WAF to block access to the vulnerable endpoint.
While no confirmed active exploitation campaigns are publicly known, the unauthenticated nature of the vulnerability makes it a potential target. Public PoCs exist.
You can find the official Cisco advisory for CVE-2021-1246 on the Cisco Security Advisories website: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-finnesse-unauth-access
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.