|
Description
|
|
A weakness and a vulnerability has been reported in Cisco TelePresence TC Software, which can be exploited by malicious people to conduct spoofing and cross-site scripting attacks.
1) Certain unspecified input passed to the login page is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain.
The weakness is reported in version 6.3-26 and versions prior to 7.3.0.
2) Certain unspecified input is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
The vulnerability is reported in versions prior to 7.1.0.
|
|
|
|
|
|
Vulnerable Products
|
|
Vulnerable OS:
Cisco Telepresence Integrator C SeriesVulnerable Software:
Cisco TelePresence TC and TE 6.x
|
|
|
|
|
|
Solution
|
|
Update to a fixed version (please see the vendor's advisories for details).
|
|
|
|
|
|
CVE
|
|
CVE-2015-0697
CVE-2015-0696
|
|
|
|
|
|
References
|
|
Cisco (CSCuq94977
CSCuq94980):
http://tools.cisco.com/security/center/viewAlert.x?alertId=38349
http://tools.cisco.com/security/center/viewAlert.x?alertId=38350
|
|
|
|
|
|
Vulnerability Manager Detection
|
|
No
|
|
|
|
|
|
IPS Protection
|
|
|
|
|
|
|
