You are here

V-085: Cisco Unity Express Input Validation Hole Permits Cross-Site Request Forgery Attacks

February 6, 2013 - 1:06am

Addthis

PROBLEM:

Cisco Unity Express Input Validation Hole Permits Cross-Site Request Forgery Attacks

PLATFORM:

Cisco Unity Express prior to 8.0

ABSTRACT:

A vulnerability was reported in Cisco Unity Express.

REFERENCE LINKS:

Cisco Security Notice
SecurityTracker Alert ID:  1028075
CVE-2013-1120

IMPACT ASSESSMENT:

Medium

DISCUSSION:

Cisco Unity Express software prior to version 8.0 contains vulnerabilities that could allow an unauthenticated, remote attacker to conduct cross site request forgery attacks.  The vulnerabilities are due to insufficient input validation. An attacker could exploit these vulnerabilities by sending crafted requests.

IMPACT:

A remote user can take actions on the Cisco Unity Express interface acting as the target user.

SOLUTION:

No solution was available at the time of this entry. The product version is no longer supported.

Addthis