Advertisements

 XSS vulnerability in Cisco MeetingPlace

Thursday, 9 August 2007

SecureTest Ltd (www.securetest.com) Security Advisory

XSS vulnerability in Cisco MeetingPlace

Date: 18th July 2007
Author: Roger Jefferiss
Application: Cisco MeetingPlace
Risk: Medium
Vendor Status: Replicated and verified by Cisco Systems, patch
available.
Reference: http://www.cisco.com

Overview:

There exists a cross site scripting issue in Cisco MeetingPlace
Application. The result of this is that when a specially crafted web
page with a hidden arbitrary code could be executed on the host
accessing the application.

Details:

Cisco Meetingplace provides a web based application for online meetings.
It was discovered that a specially crafted script could be executed on
certain parameters with in Meetingplace application.

The result is script code execution in the local user context in the
host. Preliminary tests concluded the system is vulnerable with most
popular web browsers such as Microsoft Internet Explorer 7.0 and Mozilla
Firefox 2.0 fully patched.

User intervention (e.g. clicking on a malicious link) is necessary to
trigger the exploit.

Affected Versions:

This vulnerability has been confirmed in the following versions:

- 4.3.0.246
- 4.3.0.246.5
- 5.3.104.0
- 5.3.104.3

The following versions have been tested and are unaffected due to the
fact they return an xml template:

- 5.3.333.0
- 5.3.447
- 5.3.447.4
- 5.4.70.0
- 6.0.170.0

Vendor Response:

Cisco bug ID: CSCsi33940

The above vulnerability was addressed by Cisco Systems recommending that
you update grade to Version 5.3.333.0 or higher

Please see
http://www.cisco.com/warp/public/707/cisco-sr-20070808-mp.shtml for
details.

SecureTest for all your PCI requirements- PCI workshops, PCI Scoping, Assistance with Self Assessment questionnaires, Gap Analysis, ASV Scanning, PCI-DSS Audits - SecureTest are an accredited PCI ASV & QSA company.

Contact SecureTest now to discuss your requirements in more detail on 01844 210310 or e-mail us pci at securetest.com

SecureTest Ltd is a company registered in England and Wales with company number 4474600

Our VAT number is 793 8555 69



Share this content:
        
Advertisements
Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.