The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


XSS vulnerability in Cisco MeetingPlace


<< Previous INDEX Search src / Print Next >>
Subject: XSS vulnerability in Cisco MeetingPlace
Date: Wed, 8 Aug 2007 15:30:00 +0100
From: "Disclosure" <Disclosure@securetest.com.>
To: <full-disclosure@lists.grok.org.uk.>, <bugtraq@securityfocus.com.>
X-SecureTest-MailScanner: Found to be clean
X-Virus-Scanned: antivirus-gw at tyumen.ru

SecureTest Ltd (www.securetest.com) Security Advisory

XSS vulnerability in Cisco MeetingPlace

Date: 18th July 2007
Author: Roger Jefferiss
Application: Cisco MeetingPlace
Risk: Medium
Vendor Status: Replicated and verified by Cisco Systems, patch
available.
Reference: http://www.cisco.com

Overview:

There exists a cross site scripting issue in Cisco MeetingPlace
Application. The result of this is that when a specially crafted web
page with a hidden arbitrary code could be executed on the host
accessing the application.
=20
Details:

Cisco Meetingplace provides a web based application for online meetings.
It was discovered that a specially crafted script could be executed on
certain parameters with in Meetingplace application.

The result is script code execution in the local user context in the
host. Preliminary tests concluded the system is vulnerable with most
popular web browsers such as Microsoft Internet Explorer 7.0 and Mozilla
Firefox 2.0 fully patched.

User intervention (e.g. clicking on a malicious link) is necessary to
trigger the exploit.

Affected Versions:

This vulnerability has been confirmed in the following versions:

- 4.3.0.246
- 4.3.0.246.5
- 5.3.104.0
- 5.3.104.3


The following versions have been tested and are unaffected due to the
fact they return an xml template:

- 5.3.333.0
- 5.3.447
- 5.3.447.4
- 5.4.70.0
- 6.0.170.0


Vendor Response:

Cisco bug ID: CSCsi33940

The above vulnerability was addressed by Cisco Systems recommending that
you update grade to Version 5.3.333.0 or higher

Please see
http://www.cisco.com/warp/public/707/cisco-sr-20070808-mp.shtml for
details.

SecureTest for all your PCI requirements- PCI workshops, PCI Scoping, Assis=
tance with Self Assessment questionnaires, Gap Analysis, ASV Scanning, PCI-=
DSS Audits - SecureTest are an accredited PCI ASV & QSA company.

Contact SecureTest now to discuss your requirements in more detail on 01844=
 210310 or e-mail us [email protected]=20

SecureTest Ltd is a company registered in England and Wales with company nu=
mber 4474600

Our VAT number is 793 8555 69



<< Previous INDEX Search src / Print Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру