6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.004 Low
EPSS
Percentile
75.0%
A vulnerability in the web framework in the Cisco TelePresence Video Communication Server (VCS) could allow an authenticated, remote attacker to inject arbitrary commands that are executed at the nobody
privilege level.
The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by authenticating to the device and submitting crafted input to the affected parameter in a web page. The user must be authenticated in order to access the affected parameter. A successful exploit could allow an attacker to execute commands at the nobody privilege level.
Cisco has confirmed the vulnerability and released updated software.
To exploit this vulnerability, an attacker requires authenticated access to the targeted system. Authenticated access may require the attacker to access trusted, internal networks. These requirements could limit the likelihood of a successful exploit.
Cisco PSIRT indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.