| Check Point Reference: |
CPAI-2006-085 |
| Date Published: |
16 Jul 2006 |
| Severity: |
Medium
|
| Last Updated: |
Thursday 03 May, 2007 |
| Source: |
SecuriTeam
Cisco Security Response |
| Protection Provided by: |
|
| Who is Vulnerable? | Cisco CallManager version 3.1 and above
|
| Vulnerability Description |
Cisco Unified CallManager software is the call-processing component of the Cisco Unified Communications system. The web interface used to administer Cisco CallManager software fails to properly validate user input. A specially crafted request could cause the CallManager web interface to include malicious JavaScript in its response. Once the response is processed, the malicious JavaScript payload will be executed in the browser of the victim. |
| Update/Patch Avaliable | Check Point is not aware of a patch made available for this issue. |
| Vulnerability Details | The web interface used to administer Cisco CallManager software does not properly validate user supplied input. An attacker can take advantage of this by crafting a request that causes the CallManager web interface to include malicious JavaScript in its response. If such a request is provided to CallManager administrators, an attacker can perform a variety of actions, including deletion of phone system components such as devices, reconfiguration of phone system components such as route plans, theft of global directory user credentials and more. |
Feedback