Cisco Unified MeetingPlace Multiple Session Weaknesses

This script is Copyright (C) 2012-2014 Tenable Network Security, Inc.


Synopsis :

The remote web server contains a conferencing application with multiple
session weaknesses.

Description :

According to its self-reported version number, the installation of
Cisco Unified MeetingPlace hosted on the remote web server may be
affected by multiple session weaknesses :

- The application fails to invalidate a session upon a
logout action, which makes it easier for remote
attackers to hijack sessions by leveraging knowledge of
a session cookie. (CVE-2013-1168)

- When the 'Remember Me' option is used, the application
fails to properly verify cookies, which may allow an
unauthenticated, remote attacker to impersonate users
via crafted login requests. (CVE-2013-1169)

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.
Additionally, the coarse nature of the version information Nessus
gathered is not enough to confirm that the application is vulnerable,
only that it might be affected.

See also :

http://www.nessus.org/u?d394e551

Solution :

Upgrade to 7.1MR1 Patch 2 / 8.0MR1 Patch 2 / 8.5MR3 Patch 1 or
later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 6.9
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: CISCO

Nessus Plugin ID: 70078 ()

Bugtraq ID: 59006
59014

CVE ID: CVE-2013-1168
CVE-2013-1169