exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Cisco Unified MeetingPlace Cross Site Scripting

Cisco Unified MeetingPlace Cross Site Scripting
Posted Feb 26, 2009
Authored by National Australia Bank Security Assurance

The Cisco Unified MeetingPlace Web Conferencing system is vulnerable to a stored cross site scripting vulnerability.

tags | exploit, web, xss
systems | cisco
SHA-256 | df9ddfe51280f84ea7084cd93067cf5dc3c71d635cb29a58a61b63a95d344716
Download | Favorite | View

Cisco Unified MeetingPlace Cross Site Scripting

Change Mirror Download
Title:   Cisco Unified MeetingPlace Web Conferencing Stored Cross Site Scripting Vulnerability


CVE Identifier: N/A
____________

Credit: 
Security Assurance Team of the National Australia Bank.

The vendor was advised of this vulnerability prior to its public release.  National Australia Bank adheres to the “Guidelines for Security Vulnerability Reporting and Response V2.0” document when issuing Security Advisories.  

Class:   Stored Cross Site Scripting
____________

Remote:  Yes
____________

Local:  No
____________


Vulnerable: 
Cisco Unified Meeting Place 6.0 and possibly 7.0 – other versions may also be vulnerable.
____________  

Not Vulnerable:  
____________

Vendor:  Cisco
____________

Discussion:
Cisco Unified Meeting Place is a suite of products used for remote voice, video and web conferencing.  The Cisco Unified Meeting Place web interface allows users to schedule and attend conferences.

Each user has the ability to modify their own account settings such as their name, telephone extension, email address etc. National Australia Bank’s Security Assurance Team have identified a stored cross site scripting vulnerability that could be exploited by a malicious user to execute code within another user's browser when they view a meeting created by the malicious user.

____________

Exploit:
The “E-mail Address” field of this profile page is vulnerable to stored cross site scripting attacks. 

If a user enters the following in the email field, the code within the script tags will be executed whenever that user’s profile data is viewed by other users, including when viewing the details of a meeting created by this user: 
"><script>INSERT JAVASCRIPT HERE</script>

Solution: 
No workaround available.

This vulnerability is fixed in Cisco Unified MeetingPlace Web Conferencing software version 6.0(517.0) also known as Maintenance Release 4 (MR4) for the 6.0 release, and version 7.0(2) also known as Maintenance Release 1 (MR1) for the 7.0 release. 

____________

References:  

Vendor Homepage: 
http://www.cisco.com



Login or Register to add favorites

File Archive:

August 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    15 Files
  • 2
    Aug 2nd
    22 Files
  • 3
    Aug 3rd
    0 Files
  • 4
    Aug 4th
    0 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    11 Files
  • 7
    Aug 7th
    43 Files
  • 8
    Aug 8th
    42 Files
  • 9
    Aug 9th
    36 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    27 Files
  • 13
    Aug 13th
    18 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close