Vulnslist

Cisco vulnerabilities by product, model, software, and advisory.

Cisco TelePresence Server Cross-Site Request Forgery Vulnerability

Cisco-SA-20150922-CVE-2015-6304 · Medium · Published · Updated

A vulnerability in the web interface of Cisco TelePresence Server could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against the user of the web interface. The vulnerability is due to insufficient CSRF protections. An attacker could exploit this vulnerability by convincing the user of the affected system to follow a malicious link or visit an attacker-controlled website. A successful exploit could allow an attacker to submit arbitrary requests to the affected device via the affected web browser with the privileges of the user. Cisco has confirmed the vulnerability; however, software updates are not available. To exploit the vulnerability, the attacker may provide a link that directs a user to a malicious website, and use misleading language or instructions to persuade the user to follow the provided link.

Cisco advisory · CSAF JSON

Workarounds

Administrators are advised to contact the vendor regarding future updates and releases.

Users should verify that unsolicited links are safe to follow.

For additional information about cross-site request forgery attacks and
potential mitigation methods, see the Cisco Applied Mitigation Bulletin Understanding Cross-Site Request Forgery Threat Vectors["https://sec.cloudapps.cisco.com/security/center/viewAMBAlert.x?alertId=28726"].

Administrators are advised to monitor affected systems.

CVEsCVE-2015-6304
Cisco Bug IDsNA
CVSS ScoreBase 4.3
Base 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:U/RC:C
Product Names From Source
Cisco TelePresence Server Software, Cisco TelePresence Server

Related Products

Product CVE Evidence
Cisco TelePresence Server Software CVE-2015-6304 Cisco OpenVuln
Cisco TelePresence Server CVE-2015-6304 Cisco OpenVuln
Cisco TelePresence CVE-2015-6304 Cisco OpenVuln