lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 8 Aug 2007 15:30:00 +0100
From: "Disclosure" <Disclosure@...uretest.com>
To: <full-disclosure@...ts.grok.org.uk>, <bugtraq@...urityfocus.com>
Subject: XSS vulnerability in Cisco MeetingPlace

SecureTest Ltd (www.securetest.com) Security Advisory

XSS vulnerability in Cisco MeetingPlace

Date: 18th July 2007
Author: Roger Jefferiss
Application: Cisco MeetingPlace
Risk: Medium
Vendor Status: Replicated and verified by Cisco Systems, patch
available.
Reference: http://www.cisco.com

Overview:

There exists a cross site scripting issue in Cisco MeetingPlace
Application. The result of this is that when a specially crafted web
page with a hidden arbitrary code could be executed on the host
accessing the application.
 
Details:

Cisco Meetingplace provides a web based application for online meetings.
It was discovered that a specially crafted script could be executed on
certain parameters with in Meetingplace application.

The result is script code execution in the local user context in the
host. Preliminary tests concluded the system is vulnerable with most
popular web browsers such as Microsoft Internet Explorer 7.0 and Mozilla
Firefox 2.0 fully patched.

User intervention (e.g. clicking on a malicious link) is necessary to
trigger the exploit.

Affected Versions:

This vulnerability has been confirmed in the following versions:

- 4.3.0.246
- 4.3.0.246.5
- 5.3.104.0
- 5.3.104.3

The following versions have been tested and are unaffected due to the
fact they return an xml template:

- 5.3.333.0
- 5.3.447
- 5.3.447.4
- 5.4.70.0
- 6.0.170.0

Vendor Response:

Cisco bug ID: CSCsi33940

The above vulnerability was addressed by Cisco Systems recommending that
you update grade to Version 5.3.333.0 or higher

Please see
http://www.cisco.com/warp/public/707/cisco-sr-20070808-mp.shtml for
details.

SecureTest for all your PCI requirements- PCI workshops, PCI Scoping, Assistance with Self Assessment questionnaires, Gap Analysis, ASV Scanning, PCI-DSS Audits - SecureTest are an accredited PCI ASV & QSA company.

Contact SecureTest now to discuss your requirements in more detail on 01844 210310 or e-mail us pci@...uretest.com 

SecureTest Ltd is a company registered in England and Wales with company number 4474600

Our VAT number is 793 8555 69

Powered by blists - more mailing lists