CVE-2023-20266
First published: Wed Aug 30 2023(Updated: )
A vulnerability in Cisco Emergency Responder, Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unity Connection could allow an authenticated, remote attacker to elevate privileges to root on an affected device. This vulnerability exists because the application does not properly restrict the files that are being used for upgrades. An attacker could exploit this vulnerability by providing a crafted upgrade file. A successful exploit could allow the attacker to elevate privileges to root. To exploit this vulnerability, the attacker must have valid platform administrator credentials on an affected device.
Credit: ykramarz@cisco.com ykramarz@cisco.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cisco Emergency Responder | =12.5.1su4 | |
| Cisco Emergency Responder | =12.5.1su8a | |
| Cisco Emergency Responder | =14su3 | |
| Cisco Unified Communications Manager | =12.5.1su8 | |
| Cisco Unified Communications Manager | =12.5.1su8 | |
| Cisco Unity Connection | =12.5\(1\)su6 | |
| Cisco Unity Connection | =12.5\(1\)su7 | |
| Cisco Unity Connection | =12.5\(1\)su8 | |
| Cisco Unity Connection | =14su2 | |
| Cisco Unity Connection | =14su3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2023-20266?
The severity of CVE-2023-20266 is high with a severity value of 7.2.
What is the affected software for CVE-2023-20266?
The affected software for CVE-2023-20266 includes Cisco Emergency Responder, Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, and Cisco Unity Connection.
How can an attacker exploit CVE-2023-20266?
An attacker can exploit CVE-2023-20266 by elevating privileges to root on an affected device.
What is the Cisco Security Advisory for CVE-2023-20266?
The Cisco Security Advisory for CVE-2023-20266 can be found at [https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-priv-esc-D8Bky5eg](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-priv-esc-D8Bky5eg).
What is the CWE for CVE-2023-20266?
The CWE for CVE-2023-20266 is 269.
- collector/nvd-index
- agent/author
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/references
- agent/weakness
- agent/tags
- agent/description
- agent/event
- agent/first-publish-date
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- vendor/cisco
- canonical/cisco emergency responder
- version/cisco emergency responder/12.5.1su4
- version/cisco emergency responder/12.5.1su8a
- version/cisco emergency responder/14su3
- canonical/cisco unified communications manager
- version/cisco unified communications manager/12.5.1su8
- canonical/cisco unity connection
- version/cisco unity connection/12.5\(1\)su6
- version/cisco unity connection/12.5\(1\)su7
- version/cisco unity connection/12.5\(1\)su8
- version/cisco unity connection/14su2
- version/cisco unity connection/14su3