[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Cisco Security Advisory: Cisco Unified MeetingPlace Unauthorized Password Change Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Cisco Security Advisory: Cisco Unified MeetingPlace Unauthorized Password Change Vulnerability
From: Cisco Systems Product Security Incident Response Team <psirt@xxxxxxxxx>
Date: Wed, 22 Jul 2015 12:01:18 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Cisco Security Advisory: Cisco Unified MeetingPlace Unauthorized Password 
Change Vulnerability

Advisory ID: cisco-sa-20150722-mp

Revision 1.0

For Public Release 2015 July 22 16:00 UTC (GMT)

----------------------------------------------------------------------------------------

Summary
=======

The password change functionality in the Cisco Unified MeetingPlace Web 
Conferencing application could allow an unauthenticated remote, attacker to 
change the passwords of arbitrary users. The vulnerability is due to the 
following:

    Users are not required to enter the previous password during a password 
change request. 
    HTTP session functionality does not validate the session ID in the HTTP 
request for the password change request.

An attacker could exploit this vulnerability via a crafted HTTP request and 
change arbitrary user passwords to gain access to the application. A successful 
exploit could allow the attacker to use the reset credentials to gain full 
control of the application.

Cisco has released software updates that address this vulnerability. There is 
no workaround that mitigates this vulnerability. 

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150722-mp

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCgAGBQJVrtb+AAoJEIpI1I6i1Mx34qYP/RtaXV7qtykcetapQnIlz7pR
PnWYHIKVL1fOtb34XsvVAsz1hKt9eDEdPoDT0jzqXZYod3+Rr6WgGYUFeWRDNICR
SCG9c2ROd/dRrBZpKFXH0A4Bw9rNvkq3ljHMrdNCt8h3Pu7fE8NvVDStNC0ktX9K
XYWck8D/uxEnTsF9duoI0tdny4JItYf+zged8/Aj+kwzMLsjI0bB4NmN6LO39k+V
cCveA1vuF8oKHQtVlbUZmG6a9vI4f2vAsc399gTF34LL11/jlXHFnUvHLge6uGMu
E4UcJbdTZgfrzJruDvDfp4lzZYQCHpOpc83Q+xoR+9qXG4kbSSuI4TjEC6ELXYEh
qz09oNTcRJWG8gAVx5SQ63y64adWuorEybqyOttMe+87xYuzCDluH/BubDyquAPJ
kvRSmjKSrNe5v8jAjXCbszGk0lXOMWXlhCM5YnQUhX1UHIPnsSVspNeEhPvte9uK
ZP56aJE5SopPpm1E6Nzn6/HQ86DAvxDN/Kl1FrbbIBnFViVPbcWfsI3ZMW/JagUY
Yu4VJehgf8k1ur64VKq25C5mGsSbQlmjFqRStBUhCqCoRfLElukkPbx1MYmeKYZM
vGs097LQtMAbuBpoNvZePsdIEfazJhO/sLcihYTwl6oV6cnL6BaBfkgbnjyiMY/g
+O1VQ48D00Vvr7V+m+FK
=kWmx
-----END PGP SIGNATURE-----

Prev by Date: Cisco Security Advisory: Cisco Application Policy Infrastructure Controller Access Control Vulnerability
Next by Date: Cisco Security Advisory: Cisco IOS Software TFTP Server Denial of Service Vulnerability
Previous by thread: Cisco Security Advisory: Cisco Application Policy Infrastructure Controller Access Control Vulnerability
Next by thread: Cisco Security Advisory: Cisco IOS Software TFTP Server Denial of Service Vulnerability
Index(es):
- Date
- Thread