ID

VAR-201110-0253


CVE

CVE-2011-3294


TITLE

Cisco TelePresence Video Communication Servers Management interface cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2011-002501

DESCRIPTION

Cross-site scripting (XSS) vulnerability in the login page in the administrative interface on Cisco TelePresence Video Communication Servers (VCS) with software before X7.0 allows remote attackers to inject arbitrary web script or HTML via the User-Agent HTTP header, aka Bug ID CSCts80342. Cisco TelePresence Video Communication Server is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. Versions prior to Cisco TelePresence Video Communication Server X7.0 are affected

Trust: 1.98

sources: NVD: CVE-2011-3294 // JVNDB: JVNDB-2011-002501 // BID: 50084 // VULHUB: VHN-51239

AFFECTED PRODUCTS

vendor:ciscomodel:telepresence video communication servers softwarescope:eqversion:x6.0

Trust: 1.0

vendor:ciscomodel:telepresence video communication serversscope:eqversion:*

Trust: 1.0

vendor:ciscomodel:telepresence video communication servers softwarescope:eqversion:x5.2

Trust: 1.0

vendor:ciscomodel:telepresence video communication servers softwarescope:lteversion:x6.1

Trust: 1.0

vendor:ciscomodel:telepresence video communication serverscope:ltversion:software x7.0

Trust: 0.8

vendor:ciscomodel:telepresence video communication serversscope: - version: -

Trust: 0.6

vendor:ciscomodel:telepresence video communication serverscope:eqversion:0

Trust: 0.3

vendor:ciscomodel:telepresence video communication serverscope:neversion:x7.0

Trust: 0.3

sources: BID: 50084 // JVNDB: JVNDB-2011-002501 // CNNVD: CNNVD-201110-513 // NVD: CVE-2011-3294

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2011-3294
value: MEDIUM

Trust: 1.0

NVD: CVE-2011-3294
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201110-513
value: MEDIUM

Trust: 0.6

VULHUB: VHN-51239
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2011-3294
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-51239
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-51239 // JVNDB: JVNDB-2011-002501 // CNNVD: CNNVD-201110-513 // NVD: CVE-2011-3294

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-51239 // JVNDB: JVNDB-2011-002501 // NVD: CVE-2011-3294

THREAT TYPE

remote

Trust: 1.2

sources: CNNVD: CNNVD-201110-513 // CNNVD: CNNVD-201110-245

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201110-513

CONFIGURATIONS

sources: JVNDB: JVNDB-2011-002501

PATCH

title:113264url:http://www.cisco.com/en/US/products/products_security_response09186a0080b98d0b.html

Trust: 0.8

title:1108711_cisco-sr-20111012-vcs-jurl:http://www.cisco.com/cisco/web/support/JP/110/1108/1108711_cisco-sr-20111012-vcs-j.html

Trust: 0.8

title:24319url:http://tools.cisco.com/security/center/viewAlert.x?alertId=24319

Trust: 0.8

sources: JVNDB: JVNDB-2011-002501

EXTERNAL IDS

db:NVDid:CVE-2011-3294

Trust: 2.8

db:BIDid:50084

Trust: 2.6

db:SECTRACKid:1026186

Trust: 1.7

db:JVNDBid:JVNDB-2011-002501

Trust: 0.8

db:CNNVDid:CNNVD-201110-513

Trust: 0.7

db:CISCOid:20111012 CISCO TELEPRESENCE VIDEO COMMUNICATION SERVER CROSS-SITE SCRIPTING VULNERABILITY

Trust: 0.6

db:XFid:70563

Trust: 0.6

db:CNNVDid:CNNVD-201110-245

Trust: 0.6

db:VULHUBid:VHN-51239

Trust: 0.1

sources: VULHUB: VHN-51239 // BID: 50084 // JVNDB: JVNDB-2011-002501 // CNNVD: CNNVD-201110-513 // CNNVD: CNNVD-201110-245 // NVD: CVE-2011-3294

REFERENCES

url:http://www.securityfocus.com/bid/50084

Trust: 2.3

url:http://www.cisco.com/en/us/products/products_security_response09186a0080b98d0b.html

Trust: 2.0

url:http://securitytracker.com/id?1026186

Trust: 1.7

url:https://exchange.xforce.ibmcloud.com/vulnerabilities/70563

Trust: 1.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-3294

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-3294

Trust: 0.8

url:http://xforce.iss.net/xforce/xfdb/70563

Trust: 0.6

url:http://www.cisco.com

Trust: 0.3

sources: VULHUB: VHN-51239 // BID: 50084 // JVNDB: JVNDB-2011-002501 // CNNVD: CNNVD-201110-513 // CNNVD: CNNVD-201110-245 // NVD: CVE-2011-3294

CREDITS

Billy Hoffman of Zoompf, Inc.

Trust: 0.9

sources: BID: 50084 // CNNVD: CNNVD-201110-245

SOURCES

db:VULHUBid:VHN-51239
db:BIDid:50084
db:JVNDBid:JVNDB-2011-002501
db:CNNVDid:CNNVD-201110-513
db:CNNVDid:CNNVD-201110-245
db:NVDid:CVE-2011-3294

LAST UPDATE DATE

2024-08-14T13:49:06.685000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-51239date:2017-08-29T00:00:00
db:BIDid:50084date:2011-10-21T15:35:00
db:JVNDBid:JVNDB-2011-002501date:2011-10-25T00:00:00
db:CNNVDid:CNNVD-201110-513date:2011-10-20T00:00:00
db:CNNVDid:CNNVD-201110-245date:2011-10-18T00:00:00
db:NVDid:CVE-2011-3294date:2017-08-29T01:30:08.880

SOURCES RELEASE DATE

db:VULHUBid:VHN-51239date:2011-10-19T00:00:00
db:BIDid:50084date:2011-10-12T00:00:00
db:JVNDBid:JVNDB-2011-002501date:2011-10-25T00:00:00
db:CNNVDid:CNNVD-201110-513date:2011-10-20T00:00:00
db:CNNVDid:CNNVD-201110-245date:1900-01-01T00:00:00
db:NVDid:CVE-2011-3294date:2011-10-19T15:55:02.267