Cisco Telepresence Video Communication Server Expressway Call Policy Configuration Page Denial of Service Vulnerability

2015-08-1321:13:06

tools.cisco.com

CVSS2

5.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:N/A:P

EPSS

0.002

Percentile

61.3%

JSON

A vulnerability in the Call Policy Configuration page of the Cisco TelePresence Video Communication Server (VCS) Expressway could allow an authenticated, remote attacker to cause a denial of service (DoS) condition or read arbitrary files on an affected system.

The vulnerability is due to insufficient validation of declared document type definitions (DTD) stored externally. An attacker could exploit this vulnerability by supplying a specially crafted XML file to the targeted system. An exploit could allow the attacker to launch a denial of service attack or read arbitrary files.

Cisco has confirmed the vulnerability; however, software updates are not available.

To exploit this vulnerability, an attacker must authenticate to the targeted device. This access requirement reduces the likelihood of a successful exploit.

Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.

Affected configurations

Vulners

Node

ciscotelepresence_video_communication_serverMatchanyexpressway

VendorProductVersionCPE
ciscotelepresence_video_communication_serveranycpe:2.3:a:cisco:telepresence_video_communication_server:any:*:*:*:expressway:*:*:*