Guest

Preview Tool

Cisco Bug: CSCus97494 - APIs vulnerable to CSRF attacks on web-users

Last Modified

Aug 06, 2018

Products (1)

  • Cisco Unified MeetingPlace

Known Affected Releases

8.6(1.9)

Description (partial)

Symptom:
A vulnerability in the SOAP API endpoints of the webservices directory of the Cisco Unified MeetingPlace could allow an unauthenticated, remote
attacker to perform a cross-site request forgery (CSRF) attack.

The vulnerability is due to insufficient CSRF protections in the API endpoints. An attacker could exploit this vulnerability by convincing the
admin of the MeetingPlace instance to visit an attacker controlled website that unknowingly allows the creation of a new admin user. A successful
exploit could allow the attacker to use the new admin user to conduct further attacks.

Conditions:
Device configured with default configuration.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.