Vulnslist

Cisco vulnerabilities by product, model, software, and advisory.

Cisco TelePresence IP VCR Cross-Site Request Forgery Vulnerability

Cisco-SA-20150709-CVE-2015-4256 · Medium · Published · Updated

A vulnerability in the Cisco TelePresence IP VCR Series could allow an unauthenticated, remote attacker to execute unwanted actions. The vulnerability is due to insufficient cross-site request forgery (CSRF) protection. An attacker could exploit this vulnerability by tricking the user of a web application into executing an adverse action. Cisco has confirmed the vulnerability; however, software updates are not available. To exploit the vulnerability, the attacker may provide a link that directs a user to a malicious site and use misleading language or instructions to persuade the user to follow the provided link. Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.

Cisco advisory · CSAF JSON

Workarounds

Administrators are advised to contact the vendor regarding future updates and releases.

Users should verify that unsolicited links are safe to follow.

For additional information about cross-site request forgery attacks and potential mitigation methods, see the Cisco Applied Mitigation Bulletin Understanding Cross-Site Request Forgery Threat Vectors["http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=28726"].

Administrators are advised to monitor affected systems.

CVEsCVE-2015-4256
Cisco Bug IDsCSCuu90736
CVSS ScoreBase 4.3
Base 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:U/RC:C
Product Names From Source
Cisco TelePresence IP VCR Series

Related Products

Product CVE Evidence
Cisco TelePresence IP VCR Series CVE-2015-4256 Cisco OpenVuln
Cisco TelePresence CVE-2015-4256 Cisco OpenVuln