Overview
Cisco(https://www.cisco.com) has released a security update that fixes vulnerabilities in products it has been made. Users of affected systems are advised to update to the latest version.
Affected Products
Cisco Identity Services Engine Software
Cisco Unified Communications Manager
Resolved Vulnerabilities
Vulnerability in Cisco Unified Communications Manager that could allow a denial of service due to improper parsing of SIP messages (CVE-2024-20375, CVSS 8.6) [1]
Vulnerability in Cisco Identity Services Engine Software due to insufficient validation of administrator privileges, allowing sensitive information to be collected (CVE-2024-20466, CVSS 6.5) [2]
Vulnerability in Cisco Identity Services Engine Software due to lack of user input validation, which could allow viewing or modifying data on affected devices (CVE-2024-20417, CVSS 6.5) [3]
Vulnerability in Cisco Identity Services Engine Software due to lack of CSRF protection in the web-based management interface, which could allow arbitrary attacker commands (CVE-2024-20486, CVSS 6.5) [4]
Vulnerability in Cisco Unified Communications Manager in the web-based administration feature due to insufficient validation of user input, which could allow arbitrary scripted command execution (CVE-2024-20488, CVSS 6.1) [5]
Vulnerability Patches
Product-specific Vulnerability Patches were made available in the August 21, 2024 update. please refer to the ‘Affected Products’ and ‘Fixed Software’ in the product-specific information in the Referenced Sites below to apply the patches.
Referenced Sites
[1] Cisco Unified Communications Manager Denial of Service Vulnerability
[2] Cisco Identity Services Engine Sensitive Information Disclosure Vulnerability
[3] Cisco Identity Services Engine REST API Blind SQL Injection Vulnerabilities
[4] Cisco Identity Services Engine Cross-Site Request Forgery Vulnerability
[5] Cisco Unified Communications Manager Cross-Site Scripting Vulnerability
Article Link: Cisco Family August 2024 First Round Security Update Advisory – ASEC