Detections
Analytics

Cisco TelePresence VCS / Expressway Series < 12.5 REST API Server-Side Request Forgery Vulnerability

medium Nessus Plugin ID 128177

Language:

Synopsis

The remote host is affected by a security bypass vulnerability.

Description

According to its self-reported version number, the Cisco TelePresence VCS or Expressway Series on the remote host contains a vulnerability in the web interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) software could allow an authenticated, remote attacker to trigger an HTTP request from an affected server to an arbitrary host. This type of attack is commonly referred to as server-side request forgery (SSRF).

Solution

Upgrade to version 12.5 or later.

See Also

https://tools.cisco.com/bugsearch/bug/CSCvn33987

http://www.nessus.org/u?ee44583b

Plugin Details

Severity: Medium

ID: 128177

File Name: cisco_telepresence_vcs_CSCvn33987.nasl

Version: 1.4

Type: remote

Family: CISCO

Published: 8/27/2019

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 1.6

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N

CVSS Score Source: CVE-2019-1679

CVSS v3

Risk Factor: Medium

Base Score: 5

Temporal Score: 4.4

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:cisco:telepresence_video_communication_server_software, cpe:/a:cisco:telepresence_video_communication_server, cpe:/h:cisco:telepresence_video_communication_server, cpe:/a:cisco:expressway_software

Required KB Items: Cisco/TelePresence_VCS/Version

Exploit Ease: No known exploits are available

Patch Publication Date: 2/6/2019

Vulnerability Publication Date: 2/6/2019

Reference Information

CVE: CVE-2019-1679