Cisco Bug: CSCuo95791 - CUCM Platform Vulnerable to CSRF Attack
Last Modified
Feb 02, 2017
Products (1)
- Cisco Unified Communications Manager (CallManager)
Known Affected Releases
10.0(1.10000.12)
Description (partial)
Symptom: A vulnerability in the web application of Cisco Unified Communications Manager which could allow an authenticated, local attacker to execute unwanted actions. The vulnerability is due to Cross-Site Request Forgery. An attacker could exploit this vulnerability by tricking the user of a web application into executing an adverse action. Conditions: Web applications in the Cisco Unified Communications Manager has several pages that are vulnerable to CSRF attacks which can change settings. For example, uploading and deleting certificates, custom login messages and tftp files. https://cucmserver/cmplatform/certificateUpload.do https://cucmserver/cmplatform/certificateDelete.do https://cucmserver/cmplatform/clmFileUpload.do https://cucmserver/cmplatform/clmFileDelete.do https://cucmserver/cmplatform/tftpFileUpload.do https://cucmserver/cmplatform/tftpFLDeleteSelected.do https://cucmserver/cmplatform/ssoAppConfigSave.do
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Status
- Severity
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases