Guest

Preview Tool

Cisco Bug: CSCuj43084 - Chat sessions are vulnerable to OWASP A2

Last Modified

Jun 29, 2018

Products (1)

  • Cisco Unified E-Mail Interaction Manager

Known Affected Releases

9.0(1)

Description (partial)

Symptom:
A vulnerability in Cisco Unified Web and E-Mail Interaction Manager could allow an unauthenticated, remote attacker to capture, forge, or brute force a session identifier transmitted as a parameter in GET requests.

The vulnerability is due to improper use of session identifiers in GET requests. An attacker could exploit this vulnerability by capturing, forging, or brute forcing a session identifier and injecting it into a GET request. An exploit could allow the attacker to inject arbitrary text into existing conversations.

Conditions:
None
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.