Cisco Unified MeetingPlace 8.6(1.9) Web User Interface information disclosure
CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
---|---|---|
5.5 | $0-$5k | 0.00 |
A vulnerability, which was classified as critical, was found in Cisco Unified MeetingPlace 8.6(1.9) (Unified Communication Software). This affects an unknown function of the component Web User Interface. The manipulation with an unknown input leads to a information disclosure vulnerability. CWE is classifying the issue as CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:
The web-based user interface in Cisco Unified MeetingPlace 8.6(1.9) allows remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, aka Bug ID CSCus97452.
The weakness was released 05/30/2015 with Cisco as CSCus97452 as confirmed advisory (Website). The advisory is shared at tools.cisco.com. This vulnerability is uniquely identified as CVE-2015-0758 since 01/07/2015. It is possible to initiate the attack remotely. The successful exploitation requires a authentication. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1592 for this issue.
The vulnerability scanner Nessus provides a plugin with the ID 84193 (Cisco Unified MeetingPlace XML Processing Information Disclosure (CSCus97452)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family CISCO.
The vulnerability is also documented in the databases at X-Force (103557) and Tenable (84193).
Product
Type
Vendor
Name
Version
License
Support
- end of life (old version)
CPE 2.3
CPE 2.2
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 6.3VulDB Meta Temp Score: 5.5
VulDB Base Score: 6.3
VulDB Temp Score: 5.5
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
AV | AC | Au | C | I | A |
---|---|---|---|---|---|
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
---|---|---|---|---|---|
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Information disclosureCWE: CWE-200 / CWE-284 / CWE-266
ATT&CK: T1592
Local: No
Remote: Yes
Availability: 🔍
Status: Unproven
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
0-Day | unlock | unlock | unlock | unlock |
---|---|---|---|---|
Today | unlock | unlock | unlock | unlock |
Nessus ID: 84193
Nessus Name: Cisco Unified MeetingPlace XML Processing Information Disclosure (CSCus97452)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: no mitigation knownStatus: 🔍
0-Day Time: 🔍
Timeline
01/07/2015 🔍05/30/2015 🔍
05/30/2015 🔍
05/30/2015 🔍
05/31/2015 🔍
06/01/2015 🔍
06/15/2015 🔍
07/08/2015 🔍
05/19/2022 🔍
Sources
Vendor: cisco.comAdvisory: CSCus97452
Organization: Cisco
Status: Confirmed
CVE: CVE-2015-0758 (🔍)
X-Force: 103557 - Cisco Unified MeetingPlace XML information disclosure
SecurityTracker: 1032448
Vulnerability Center: 51047 - Cisco Unified MeetingPlace 8.6(1.9) Remote Information Disclosure via an XML Document, Medium
SecurityFocus: 74922 - Cisco Unified MeetingPlace CVE-2015-0758 XML External Entity Information Disclosure Vulnerability
Entry
Created: 05/31/2015 14:35Updated: 05/19/2022 17:03
Changes: 05/31/2015 14:35 (59), 07/10/2017 09:06 (9), 05/19/2022 16:55 (3), 05/19/2022 17:03 (1)
Complete: 🔍
No comments yet. Languages: en.
Please log in to comment.