HIGH✓ PATCH🇬🇧 English

CVE-2024-20272

CVSS 7.3v3.1pub. 2024-01-17upd. 2025-06-02

A vulnerability in the web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system and execute commands on the underlying operating system. This vulnerability is due to a lack of authentication in a specific API and improper validation of user-supplied data. An attacker could exploit this vulnerability by uploading arbitrary files to an affected system. A successful exploit could allow the attacker to store malicious files on the system, execute arbitrary commands on the operating system, and elevate privileges to root.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
  • Cisco Unity Connection

    APP
    Cisco
    < 12.5.1.19017-414.0 – 14.0.1.14006-5 (bez)
🟢
PATCH DOSTĘPNY
Aktualizacja od producenta gotowa. Wdrożenie w ramach standardowego cyklu.
CWE
Referencje

Powiązane podatności

CVE-2024-20253CRITICAL9.9PL ✓ten sam produkt

RCE w produktach Cisco Unified Communications — eskalacja do root

CVE-2017-12337CRITICAL9.8ten sam produkt

A vulnerability in the upgrade mechanism of Cisco collaboration products based on the Cisco Voice Operating Sy...

CVE-2026-20045HIGH8.2⚠ KEVten sam produkt

A vulnerability in Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Ses...

CVE-2026-20034HIGH8.8ten sam produkt

A vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, ...

CVE-2023-20259HIGH8.6ten sam produkt

A vulnerability in an API endpoint of multiple Cisco Unified Communications Products could allow an unauthenti...