प्लेटफ़ॉर्म
cisco
घटक
cisco-finesse
में ठीक किया गया
12.6.1
12.6.1
12.6.1
12.6.1
12.6.1
12.6.1
12.6.1
12.6.1
12.6.1
12.6.1
12.6.1
12.6.1
12.6.1
CVE-2021-1246 describes an unauthenticated access vulnerability in Cisco Finesse, Cisco Virtualized Voice Browser, and Cisco Unified CVP OpenSocial Gadget Editor. This flaw allows a remote attacker to bypass authentication and access the OpenSocial Gadget Editor without valid credentials. The vulnerability impacts versions up to and including 12.6(2)_ET17, and a fix is available from Cisco.
Successful exploitation of CVE-2021-1246 allows an attacker to directly access the OpenSocial Gadget Editor within the affected Cisco products. This could enable unauthorized modification of gadget configurations, potentially leading to the injection of malicious code or the alteration of system behavior. While the immediate impact might be limited to the gadget editor itself, a compromised editor could be leveraged for further attacks, such as phishing campaigns targeting users of the system or gaining a foothold for broader network reconnaissance. The lack of authentication makes this vulnerability particularly concerning, as it requires no prior user credentials to exploit.
CVE-2021-1246 was publicly disclosed on January 13, 2021. While no active exploitation campaigns have been definitively confirmed, the unauthenticated nature of the vulnerability makes it a potential target for opportunistic attackers. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are available, increasing the likelihood of exploitation.
Organizations heavily reliant on Cisco Finesse for contact center operations are particularly at risk. Environments with legacy configurations or those that have not implemented robust access controls are also more vulnerable. Shared hosting environments where multiple tenants share the same infrastructure could also be affected if one tenant compromises the Finesse instance.
• cisco / server:
# Check for vulnerable versions in Cisco Finesse configuration
# (Requires access to Finesse admin interface or configuration files)
# Example: grep 'version' /opt/cisco/finnesse/version.txt• generic web:
# Check for exposure of the OpenSocial Gadget Editor endpoint
curl -I https://<finnesse_ip>/gadgeteditor
# Look for a 200 OK response without authentication challenges• generic web:
# Review access logs for requests to the gadget editor endpoint
# from unexpected IP addresses or user agents
grep '/gadgeteditor' /var/log/apache2/access.logdisclosure
एक्सप्लॉइट स्थिति
EPSS
0.52% (67% शतमक)
CVSS वेक्टर
The primary mitigation for CVE-2021-1246 is to upgrade to a fixed version of Cisco Finesse, Virtualized Voice Browser, or Unified CVP as provided by Cisco. Until an upgrade is possible, implement a Web Application Firewall (WAF) or proxy to filter requests to the vulnerable OpenSocial Gadget Editor endpoint. Specifically, block access to the affected URL path. Monitor access logs for suspicious activity, particularly requests originating from unknown or untrusted sources. Consider implementing stricter access controls and authentication mechanisms for the web management interface, even if they don't directly address this specific vulnerability, to reduce the overall attack surface. After upgrade, confirm by verifying that the OpenSocial Gadget Editor requires authentication.
सिस्को ने इस भेद्यता को संबोधित करने वाले सॉफ़्टवेयर अपडेट प्रकाशित किए हैं। सिस्को फाइनैस, सिस्को वर्चुअलाइज्ड वॉयस ब्राउज़र और सिस्को यूनिफाइड सीवीपी को प्रदाता द्वारा प्रदान किए गए नवीनतम संस्करण में अपडेट करें। इस भेद्यता को संबोधित करने के लिए कोई वर्कअराउंड नहीं हैं।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2021-1246 is a medium severity vulnerability affecting Cisco Finesse versions up to 12.6(2)_ET17. It allows an unauthenticated attacker to access the OpenSocial Gadget Editor without credentials.
You are affected if you are running Cisco Finesse, Virtualized Voice Browser, or Unified CVP versions prior to the fixed version provided by Cisco. Check your version against the affected range.
Upgrade to a fixed version of Cisco Finesse as provided by Cisco. As a temporary workaround, implement a WAF to block access to the vulnerable endpoint.
While no confirmed active exploitation campaigns are publicly known, the unauthenticated nature of the vulnerability makes it a potential target. Public PoCs exist.
You can find the official Cisco advisory for CVE-2021-1246 on the Cisco Security Advisories website: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-finnesse-unauth-access
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।