CVE-2021-1246 is a vulnerability in Cisco Finesse
Published on January 13, 2021
Cisco Finesse OpenSocial Gadget Editor Unauthenticated Access Vulnerability
Cisco Finesse, Cisco Virtualized Voice Browser, and Cisco Unified CVP OpenSocial Gadget Editor Unauthenticated Access Vulnerability
A vulnerability in the web management interface of Cisco Finesse, Cisco Virtualized Voice Browser, and Cisco Unified CVP could allow an unauthenticated, remote attacker to access the OpenSocial Gadget Editor without providing valid user credentials.
The vulnerability is due to missing authentication for a specific section of the web-based management interface. An attacker could exploit this vulnerability by accessing a crafted URL. A successful exploit could allow the attacker to obtain access to a section of the interface, which they could use to obtain potentially confidential information and create arbitrary XML files.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
Vulnerability Analysis
CVE-2021-1246 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Weakness Type
Missing Authentication for Critical Function
The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Products Associated with CVE-2021-1246
Want to know whenever a new CVE is published for Cisco Finesse? stack.watch will email you.
Affected Versions
Cisco Unified Customer Voice Portal (CVP):- Version 12.6(2)_ES4 is affected.
- Version 12.6(2)_ET5 is affected.
- Version 12.6(2)_ET7 is affected.
- Version 12.6(2)_ET8 is affected.
- Version 12.6(2)_ES9 is affected.
- Version 12.6(2)_ES10 is affected.
- Version 12.6(2)_ES11 is affected.
- Version 12.6(2)_ET12 is affected.
- Version 12.6(2)_ET13 is affected.
- Version 12.6(2)_ES14 is affected.
- Version 12.6(2)_ES15 is affected.
- Version 12.6(2)_ET16 is affected.
- Version 12.6(2)_ET17 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.