Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Cisco :: tb12021.htm

XSS vulnerability in Cisco MeetingPlace



XSS vulnerability in Cisco MeetingPlace
XSS vulnerability in Cisco MeetingPlace



SecureTest Ltd (www.securetest.com) Security Advisory 

XSS vulnerability in Cisco MeetingPlace

Date: 18th July 2007
Author: Roger Jefferiss
Application: Cisco MeetingPlace
Risk: Medium
Vendor Status: Replicated and verified by Cisco Systems, patch
available.
Reference: http://www.cisco.com 

Overview:

There exists a cross site scripting issue in Cisco MeetingPlace
Application. The result of this is that when a specially crafted web
page with a hidden arbitrary code could be executed on the host
accessing the application.
 
Details:

Cisco Meetingplace provides a web based application for online meetings.
It was discovered that a specially crafted script could be executed on
certain parameters with in Meetingplace application.

The result is script code execution in the local user context in the
host. Preliminary tests concluded the system is vulnerable with most
popular web browsers such as Microsoft Internet Explorer 7.0 and Mozilla
Firefox 2.0 fully patched.

User intervention (e.g. clicking on a malicious link) is necessary to
trigger the exploit.

Affected Versions:

This vulnerability has been confirmed in the following versions:

- 4.3.0.246
- 4.3.0.246.5
- 5.3.104.0
- 5.3.104.3

The following versions have been tested and are unaffected due to the
fact they return an xml template:

- 5.3.333.0
- 5.3.447
- 5.3.447.4
- 5.4.70.0
- 6.0.170.0

Vendor Response:

Cisco bug ID: CSCsi33940

The above vulnerability was addressed by Cisco Systems recommending that
you update grade to Version 5.3.333.0 or higher

Please see
http://www.cisco.com/warp/public/707/cisco-sr-20070808-mp.shtml for 
details.

SecureTest for all your PCI requirements- PCI workshops, PCI Scoping, Assistance with Self Assessment questionnaires, Gap Analysis, ASV Scanning, PCI-DSS Audits - SecureTest are an accredited PCI ASV & QSA company.

Contact SecureTest now to discuss your requirements in more detail on 01844 210310 or e-mail us pci@securetest.com 

SecureTest Ltd is a company registered in England and Wales with company number 4474600

Our VAT number is 793 8555 69



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH