You are here

U-011: Cisco Security Response: Cisco TelePresence Video Communication Server Cross-Site Scripting Vulnerability

October 14, 2011 - 12:30pm

Addthis

PROBLEM:

Cisco Security Response: Cisco TelePresence Video Communication Server Cross-Site Scripting Vulnerability

PLATFORM:

Version(s): VCS prior to 7.0

ABSTRACT:

A vulnerability was reported in Cisco TelePresence Video Communication Server. A remote user can conduct cross-site scripting attacks.

reference LINKS:

Cisco Document ID: 113264
SecurityTracker Alert ID: 1026186
CVE-2011-3294
 

IMPACT ASSESSMENT:

Medium

Discussion:

A vulnerability exists in Cisco TelePresence Video Communication Server (VCS) due to improper validation of user-controlled input to the web-based administrative interface. User-controlled input supplied to the login page via the HTTP User-Agent header is not properly sanitized for illegal or malicious content prior to being returned to the user in dynamically generated web content. A remote attacker could exploit this vulnerability to perform reflected cross-site scripting attacks.

Impact:

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Cisco TelePresence software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:

Cisco TelePresence Video Communication Server Software versions earlier than X7.0 are affected. This vulnerability has been corrected in Cisco TelePresence Video Communication Server Software version X7.0.

 

Addthis