Detections
Analytics
Cisco TelePresence VCS Expressway 8.5.3 XML External Entity (XXE) Injection
medium Nessus Plugin ID 85649
Language:
Synopsis
The remote host is affected by an XML External Entity (XXE) injection vulnerability.Description
According to its self-reported version, the instance of Cisco TelePresence Video Communication Server (VCS) Expressway running on the remote host is affected by an XML External Entity (XXE) injection vulnerability due to insufficient validation of declared document type definitions (DTD) stored externally. An authenticated, remote attacker can exploit this, via a specially crafted XML file, to cause a denial of service condition or to read arbitrary files.Solution
Contact the vendor for a fix.See Also
https://tools.cisco.com/bugsearch/bug/CSCuv31853
https://tools.cisco.com/security/center/viewAlert.x?alertId=40446
Plugin Details
Severity: Medium
ID: 85649
File Name: cisco_telepresence_vcs_CSCuv31853.nasl
Version: 1.6
Type: remote
Family: CISCO
Published: 8/26/2015
Updated: 4/11/2022
Configuration: Enable thorough checks
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Low
Score: 3.0
CVSS v2
Risk Factor: Medium
Base Score: 5.5
Temporal Score: 4.1
Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:P
CVSS Score Source: CVE-2015-4315
CVSS v3
Risk Factor: Medium
Base Score: 6.4
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L
Vulnerability Information
CPE: cpe:/h:cisco:telepresence_video_communication_server, cpe:/a:cisco:telepresence_video_communication_server, cpe:/a:cisco:telepresence_video_communication_server_software
Required KB Items: Cisco/TelePresence_VCS/Version
Exploit Ease: No known exploits are available
Vulnerability Publication Date: 8/13/2015
Reference Information
CVE: CVE-2015-4315
BID: 76352
CISCO-BUG-ID: CSCuv31853