Vulnslist

Cisco Telepresence Video Communication Server Expressway Call Policy Configuration Page Denial of Service Vulnerability

Cisco-SA-20150813-CVE-2015-4315 · Medium · Published 10 years ago · Updated 10 years ago

A vulnerability in the Call Policy Configuration page of the Cisco TelePresence Video Communication Server (VCS) Expressway could allow an authenticated, remote attacker to cause a denial of service (DoS) condition or read arbitrary files on an affected system. The vulnerability is due to insufficient validation of declared document type definitions (DTD) stored externally. An attacker could exploit this vulnerability by supplying a specially crafted XML file to the targeted system. An exploit could allow the attacker to launch a denial of service attack or read arbitrary files. Cisco has confirmed the vulnerability; however, software updates are not available. To exploit this vulnerability, an attacker must authenticate to the targeted device. This access requirement reduces the likelihood of a successful exploit. Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.

Cisco advisory · CSAF JSON

Workarounds

Related Products