Cisco Elastic Services Controller Service Portal Unauthorized Access Vulnerability

A vulnerability in the use of JSON web tokens by the web-based service portal of Cisco Elastic Services Controller Software could allow an unauthenticated, remote attacker to gain administrative access to an affected system.

The vulnerability is due to the presence of static default credentials for the web-based service portal of the affected software. An attacker could exploit this vulnerability by extracting the credentials from an image of the affected software and using those credentials to generate a valid administrative session token for the web-based service portal of any other installation of the affected software. A successful exploit could allow the attacker to gain administrative access to the web-based service portal of an affected system.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180221-esc1

Security Impact Rating: High

CVE: CVE-2018-0130

Related:

  • No Related Posts

Cisco TelePresence Management Suite Simple Object Access Protocol Vulnerability

A vulnerability in the Simple Object Access Protocol (SOAP) of Cisco TelePresence Management Suite (TMS) software could allow an unauthenticated, remote attacker to gain unauthorized access to an affected device.

The vulnerability is due to a lack of proper access and authentication controls on the affected TMS software. An attacker could exploit this vulnerability by gaining access to internal, trusted networks to send crafted SOAP calls to the affected device. If successful, an exploit could allow the attacker to access system management tools. Under normal circumstances, this access should be prohibited.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190206-tms-soap

Security Impact Rating: Medium

CVE: CVE-2019-1660

Related:

  • No Related Posts

Cisco Webex Business Suite Content Injection Vulnerability

A vulnerability in Cisco Webex Business Suite could allow an unauthenticated, remote attacker to inject arbitrary text into a user’s browser.

The vulnerability is due to improper validation of input. An attacker could exploit this vulnerability by convincing a targeted user to view a malicious URL. A successful exploit could allow the attacker to inject arbitrary text into the user’s browser. The attacker could use the content injection to conduct spoofing attacks.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190206-webex-injection

Security Impact Rating: Medium

CVE: CVE-2019-1680

Related:

  • No Related Posts