Cisco TelePresence Video Communication Server Expressway SOAP API cross-site request forgery

Summaryinfo

A vulnerability was found in Cisco TelePresence Video Communication Server Expressway and classified as problematic. This vulnerability affects unknown code of the component SOAP API. Such manipulation leads to cross-site request forgery. This vulnerability is traded as CVE-2024-20255. The attack may be launched remotely. There is no exploit available. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability was found in Cisco TelePresence Video Communication Server Expressway (Unified Communication Software). It has been rated as problematic. Affected by this issue is an unknown code of the component SOAP API. The manipulation with an unknown input leads to a cross-site request forgery vulnerability. Using CWE to declare the problem leads to CWE-352. The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. Impacted is integrity. CVE summarizes:

A vulnerability in the SOAP API of Cisco Expressway Series and Cisco TelePresence Video Communication Server could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. This vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected system. An attacker could exploit this vulnerability by persuading a user of the REST API to follow a crafted link. A successful exploit could allow the attacker to cause the affected system to reload.

The weakness was shared 02/07/2024 as cisco-sa-expressway-csrf-KnnZDMj3. The advisory is shared for download at sec.cloudapps.cisco.com. This vulnerability is handled as CVE-2024-20255 since 11/08/2023. Successful exploitation requires user interaction by the victim. There are neither technical details nor an exploit publicly available.

Upgrading eliminates this vulnerability.

Once again VulDB remains the best source for vulnerability data.

Productinfo

Type

• Unified Communication Software

Vendor

• Cisco

Name

• TelePresence Video Communication Server Expressway

Version

• X8.1
• X8.1.1
• X8.1.2
• X8.2
• X8.2.1
• X8.2.2
• X8.5
• X8.5.1
• X8.5.3
• X8.6
• X8.6.1
• X8.7
• X8.7.1
• X8.7.2
• X8.7.3
• X8.8
• X8.8.1
• X8.8.2
• X8.8.3
• X8.9
• X8.9.1
• X8.9.2
• X8.10.0
• X8.10.1
• X8.10.2
• X8.10.3
• X8.10.4
• X8.11.0
• X8.11.1
• X8.11.2
• X8.11.3
• X8.11.4
• X12.5.0
• X12.5.1
• X12.5.2
• X12.5.3
• X12.5.4
• X12.5.5
• X12.5.6
• X12.5.7
• X12.5.8
• X12.5.9
• X12.6.0
• X12.6.1
• X12.6.2
• X12.6.3
• X12.6.4
• X12.7.0
• X12.7.1
• X14.0.1
• X14.0.2
• X14.0.3
• X14.0.4
• X14.0.5
• X14.0.6
• X14.0.7
• X14.0.8
• X14.0.9
• X14.0.10
• X14.0.11
• X14.2.0
• X14.2.1
• X14.2.2
• X14.2.5
• X14.2.6
• X14.2.7
• X14.3.0
• X14.3.1
• X14.3.2

License

• commercial

Website

• Vendor: https://www.cisco.com/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion