Cisco Unified CM AXL API DoS via Input Validation in Self Care Portal
CVE-2023-20116 Published on June 28, 2023

A vulnerability in the Administrative XML Web Service (AXL) API of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient validation of user-supplied input to the web UI of the Self Care Portal. An attacker could exploit this vulnerability by sending crafted HTTP input to an affected device. A successful exploit could allow the attacker to cause a DoS condition on the affected device.

NVD

Vulnerability Analysis

CVE-2023-20116 is exploitable with network access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

LOW

User Interaction:

REQUIRED

Scope:

CHANGED

Confidentiality Impact:

NONE

Integrity Impact:

NONE

Availability Impact:

HIGH

Weakness Type

What is an Infinite Loop Vulnerability?

The program contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. If the loop can be influenced by an attacker, this weakness could allow attackers to consume excessive resources such as CPU or memory.

CVE-2023-20116 has been classified to as an Infinite Loop vulnerability or weakness.

Products Associated with CVE-2023-20116

Want to know whenever a new CVE is published for Cisco Unified Communications Manager? stack.watch will email you.

Cisco Unified Communications Manager

Affected Versions

Cisco Unified Communications Manager:

Version 12.0(1)SU1 is affected.
Version 12.0(1)SU2 is affected.
Version 12.0(1)SU3 is affected.
Version 12.0(1)SU4 is affected.
Version 12.0(1)SU5 is affected.
Version 12.5(1) is affected.
Version 12.5(1)SU1 is affected.
Version 12.5(1)SU2 is affected.
Version 12.5(1)SU3 is affected.
Version 12.5(1)SU4 is affected.
Version 12.5(1)SU5 is affected.
Version 12.5(1)SU6 is affected.
Version 12.5(1)SU7 is affected.
Version 12.5(1)SU7a is affected.
Version 14 is affected.
Version 14SU1 is affected.
Version 14SU2 is affected.

Cisco Unified Communications Manager / Cisco Unity Connection:

Version 10.5(2)SU10 is affected.
Version 10.5(1) is affected.
Version 10.5(1)SU1 is affected.
Version 10.5(1)SU1a is affected.
Version 10.5(2) is affected.
Version 10.5(2)SU1 is affected.
Version 10.5(2)SU2 is affected.
Version 10.5(2)SU3 is affected.
Version 10.5(2)SU4 is affected.
Version 10.5(2)SU5 is affected.
Version 10.5(2)SU6 is affected.
Version 10.5(2)SU7 is affected.
Version 10.5(2)SU8 is affected.
Version 10.5(2)SU9 is affected.
Version 10.5(2)SU2a is affected.
Version 10.5(2)SU3a is affected.
Version 10.5(2)SU4a is affected.
Version 10.5(2)SU6a is affected.
Version 11.0(1) is affected.
Version 11.0(1a) is affected.
Version 11.0(1a)SU1 is affected.
Version 11.0(1a)SU2 is affected.
Version 11.0(1a)SU3 is affected.
Version 11.0(1a)SU3a is affected.
Version 11.0(1a)SU4 is affected.
Version 11.0.1 is affected.
Version 11.0.2 is affected.
Version 11.0.5 is affected.
Version 11.5(1) is affected.
Version 11.5(1)SU1 is affected.
Version 11.5(1)SU2 is affected.
Version 11.5(1)SU3 is affected.
Version 11.5(1)SU3a is affected.
Version 11.5(1)SU3b is affected.
Version 11.5(1)SU4 is affected.
Version 11.5(1)SU5 is affected.
Version 11.5(1)SU6 is affected.
Version 11.5(1)SU7 is affected.
Version 11.5(1)SU8 is affected.
Version 11.5(1)SU9 is affected.
Version 11.5(1)SU10 is affected.
Version 11.5(1)SU11 is affected.
Version 10.0(1)SU2 is affected.
Version 10.0(1) is affected.
Version 10.0(1)SU1 is affected.

Exploit Probability

EPSS

0.38%

Percentile

58.75%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.