| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 8 Aug 2007 15:30:00 +0100 From: "Disclosure" <Disclosure@...uretest.com> To: <full-disclosure@...ts.grok.org.uk>, <bugtraq@...urityfocus.com> Subject: XSS vulnerability in Cisco MeetingPlace SecureTest Ltd (www.securetest.com) Security Advisory XSS vulnerability in Cisco MeetingPlace Date: 18th July 2007 Author: Roger Jefferiss Application: Cisco MeetingPlace Risk: Medium Vendor Status: Replicated and verified by Cisco Systems, patch available. Reference: http://www.cisco.com Overview: There exists a cross site scripting issue in Cisco MeetingPlace Application. The result of this is that when a specially crafted web page with a hidden arbitrary code could be executed on the host accessing the application. Details: Cisco Meetingplace provides a web based application for online meetings. It was discovered that a specially crafted script could be executed on certain parameters with in Meetingplace application. The result is script code execution in the local user context in the host. Preliminary tests concluded the system is vulnerable with most popular web browsers such as Microsoft Internet Explorer 7.0 and Mozilla Firefox 2.0 fully patched. User intervention (e.g. clicking on a malicious link) is necessary to trigger the exploit. Affected Versions: This vulnerability has been confirmed in the following versions: - 4.3.0.246 - 4.3.0.246.5 - 5.3.104.0 - 5.3.104.3 The following versions have been tested and are unaffected due to the fact they return an xml template: - 5.3.333.0 - 5.3.447 - 5.3.447.4 - 5.4.70.0 - 6.0.170.0 Vendor Response: Cisco bug ID: CSCsi33940 The above vulnerability was addressed by Cisco Systems recommending that you update grade to Version 5.3.333.0 or higher Please see http://www.cisco.com/warp/public/707/cisco-sr-20070808-mp.shtml for details. SecureTest for all your PCI requirements- PCI workshops, PCI Scoping, Assistance with Self Assessment questionnaires, Gap Analysis, ASV Scanning, PCI-DSS Audits - SecureTest are an accredited PCI ASV & QSA company. Contact SecureTest now to discuss your requirements in more detail on 01844 210310 or e-mail us pci@...uretest.com SecureTest Ltd is a company registered in England and Wales with company number 4474600 Our VAT number is 793 8555 69 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists