Cisco Telepresence Video Communication Servers Software up to X5.1 Login Page cross site scripting
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 4.1 | $0-$5k | 0.00 |
A vulnerability was found in Cisco Telepresence Video Communication Servers Software up to X5.1 (Unified Communication Software) and classified as problematic. This issue affects an unknown part of the component Login Page. The manipulation with an unknown input leads to a cross site scripting vulnerability. Using CWE to declare the problem leads to CWE-79. The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Impacted is integrity. The summary by CVE is:
Cross-site scripting (XSS) vulnerability in the login page in the administrative interface on Cisco TelePresence Video Communication Servers (VCS) with software before X7.0 allows remote attackers to inject arbitrary web script or HTML via the User-Agent HTTP header, aka Bug ID CSCts80342.
The weakness was presented 10/19/2011 (Website). The advisory is shared at xforce.iss.net. The identification of this vulnerability is CVE-2011-3294. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. It demands that the victim is doing some kind of user interaction. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1059.007 for this issue.
Upgrading to version X5.2 eliminates this vulnerability.
The vulnerability is also documented in the databases at X-Force (70563), SecurityFocus (BID 50084†), SecurityTracker (ID 1026186†) and Vulnerability Center (SBV-33545†).
Product
Type
Vendor
Name
Version
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 4.3VulDB Meta Temp Score: 4.1
VulDB Base Score: 4.3
VulDB Temp Score: 4.1
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Cross site scriptingCWE: CWE-79 / CWE-94 / CWE-74
CAPEC: 🔍
ATT&CK: 🔍
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | unlock | unlock | unlock | unlock |
|---|---|---|---|---|
| Today | unlock | unlock | unlock | unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: Telepresence Video Communication Servers Software X5.2
Timeline
08/29/2011 🔍10/12/2011 🔍
10/12/2011 🔍
10/16/2011 🔍
10/19/2011 🔍
10/19/2011 🔍
03/23/2015 🔍
12/02/2024 🔍
Sources
Vendor: cisco.comAdvisory: xforce.iss.net
Status: Confirmed
CVE: CVE-2011-3294 (🔍)
X-Force: 70563
SecurityFocus: 50084 - Cisco TelePresence Video Communication Server 'User-Agent' HTTP Header HTML Injection Vulnerability
SecurityTracker: 1026186
Vulnerability Center: 33545 - [cisco-sr-20111012-vcs] Cisco TelePresence Video Communication Server before X7.0 XSS Vulnerability, Medium
Entry
Created: 03/23/2015 04:50 PMUpdated: 12/02/2024 03:29 AM
Changes: 03/23/2015 04:50 PM (50), 04/03/2017 06:01 PM (9), 11/24/2021 09:46 AM (3), 12/02/2024 03:29 AM (17)
Complete: 🔍
Cache ID: 18:C6B:40
No comments yet. Languages: en.
Please log in to comment.