Summary
The host is installed with Cisco Unity Express and is prone to multiple cross-site scripting and request forgery vulnerabilities.
Impact
Successful exploitation will allow remote attackers to execute arbitrary HTML and script code in a users browser session in context of an affected site and perform certain actions when a logged-in user visits a specially crafted web page.
Impact Level: Application
Solution
Upgrade to Cisco Unity Express 8.0 or later,
For updated refer to https://sso.cisco.com/autho/forms/CDClogin.html
Insight
- Input passed via the 'gui_pagenotableData' parameter to Web/SA2/ScriptList.do and 'holiday.description' parameter to /Web/SA3/AddHoliday.do are not properly sanitized before being returned to the user.
- The application allows users to perform certain actions via HTTP requests without performing proper validity checks to verify the requests.
Affected
Cisco Unity Express version 7.x
References
- http://infosec42.blogspot.in/2013/02/cisco-unity-express-vulnerabilites.html
- http://secunia.com/advisories/52045
- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1114
- http://tools.cisco.com/security/center/viewAlert.x?alertId=28044
- http://www.exploit-db.com/exploits/24449
- http://www.osvdb.org/89837
- http://www.osvdb.org/89841
Updated on 2017-03-28
Severity
Classification
-
CVE CVE-2013-1114, CVE-2013-1120 -
CVSS Base Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Related Vulnerabilities