Cisco Bug: CSCus97494 - APIs vulnerable to CSRF attacks on web-users
Aug 11, 2015
- Cisco Unified MeetingPlace
Known Affected Releases
Symptom: A vulnerability in the SOAP API endpoints of the webservices directory of the Cisco Unified MeetingPlace could allow an unauthenticated, remote attacker to perform a cross-site request forgery (CSRF) attack. The vulnerability is due to insufficient CSRF protections in the API endpoints. An attacker could exploit this vulnerability by convincing the admin of the MeetingPlace instance to visit an attacker controlled website that unknowingly allows the creation of a new admin user. A successful exploit could allow the attacker to use the new admin user to conduct further attacks. Conditions: Device configured with default configuration.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases