Secunia Security Advisory - Some vulnerabilities have been reported in Cisco Unified MeetingPlace, which can be exploited by malicious users to gain escalated privileges and by malicious people to conduct SQL injection attacks, create user and administrator accounts, or gain knowledge of sensitive information.
a43843802b44a5de0344d218398083dbc1b0a599903ee3d79cccb4a3fdfe8479
----------------------------------------------------------------------
Secunia integrated with Microsoft WSUS
http://secunia.com/blog/71/
----------------------------------------------------------------------
TITLE:
Cisco Unified MeetingPlace Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA38259
VERIFY ADVISORY:
http://secunia.com/advisories/38259/
DESCRIPTION:
Some vulnerabilities have been reported in Cisco Unified
MeetingPlace, which can be exploited by malicious users to gain
escalated privileges and by malicious people to conduct SQL injection
attacks, create user and administrator accounts, or gain knowledge of
sensitive information.
1) Unspecified input is not properly sanitised before being used in a
SQL query. This can be exploited to manipulate SQL queries by
injecting arbitrary SQL code.
The vulnerability is reported in versions prior to 6.0.639.2 and
7.0(2.3) hotfix 5F.
2) An unspecified error when processing requests sent to the internal
interface of the web server can be exploited to bypass restrictions
and create MeetingPlace or administrator accounts.
The vulnerability is reported in versions prior to 6.0.639.3 and
7.0(2.3) hotfix 5F.
3) An error in the MeetingTime authentication mechanism can be
exploited to gain knowledge of usernames and passwords.
The vulnerability is reported in versions prior to MeeetingPlace 6
MR5.
4) An unspecified error in the MeetingTime authentication mechanism
can be exploited by normal users to escalated their privileges to
those of administrator accounts.
The vulnerability is reported in versions prior to MeeetingPlace 6
MR5.
SOLUTION:
Update to the latest version.
http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=278785523
PROVIDED AND/OR DISCOVERED BY:
The vendor credits National Australia Bank's Security Assurance team
and Credit Suisse.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20100127-mp.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------