Preview Tool

Cisco Bug: CSCus88031 - Magic Session ID allows unauthenticated Access to SOAP calls

Last Modified

Jun 29, 2018

Products (3)

  • Cisco Unified Communications Manager IM & Presence Service
  • Cisco Unified Communications Manager IM and Presence Service Version 10.5
  • Cisco Unified Communications Manager IM and Presence Service Version 11.0

Known Affected Releases

10.5(2) 11.0(1) 9.1(2)

Description (partial)

A vulnerability in the Simple Object Access Protocol (SOAP) handler of Cisco Unified Communications Manager (CUCM), Cisco Unified Presence
(CUP) and Cisco Unified Communications IM & Presence Server could allow an unauthenticated, remote attacker to potentially disclose sensitive

The vulnerability is due to use of hard-coded session identifiers utilized by administrative interfaces to retrieve user status information. An
attacker could exploit this vulnerability by leveraging the hard-coded session id's to disclose the session information.

The vulnerability was reported to Cisco by Vantage Point.

Devices running an affected version of the Cisco Unified Communications Manager (CUCM) and Cisco Unified IM & Presence.
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.