Details of VAR-201507-0546

ID

VAR-201507-0546

CVE

CVE-2015-4262

TITLE

Cisco Unified MeetingPlace Web Conferencing Password change function vulnerable to arbitrary password reset

Trust: 0.8

sources: JVNDB: JVNDB-2015-003926

DESCRIPTION

The password-change feature in Cisco Unified MeetingPlace Web Conferencing before 8.5(5) MR3 and 8.6 before 8.6(2) does not check the session ID or require entry of the current password, which allows remote attackers to reset arbitrary passwords via a crafted HTTP request, aka Bug ID CSCuu51839. Unified MeetingPlace Web Conferencing is prone to a security-bypass vulnerability. Successful exploits may allow attackers to use the reset credentials to gain full control of the application. This may aid in further attacks. This issue is being tracked by Cisco Bug ID CSCuu51839. The HTTP session function in does not validate the session ID in the HTTP request

Trust: 1.98

sources: NVD: CVE-2015-4262 // JVNDB: JVNDB-2015-003926 // BID: 75996 // VULHUB: VHN-82223

AFFECTED PRODUCTS

vendor:	cisco	model:	unified meetingplace web conferencing	scope:	eq	version:	6.0.417.0	Trust: 1.6
vendor:	cisco	model:	unified meetingplace web conferencing	scope:	eq	version:	8.0\(1\)_sr1	Trust: 1.6
vendor:	cisco	model:	unified meetingplace web conferencing	scope:	eq	version:	7.0\(3\)	Trust: 1.6
vendor:	cisco	model:	unified meetingplace web conferencing	scope:	eq	version:	7.0\(2\)_sr1	Trust: 1.6
vendor:	cisco	model:	unified meetingplace web conferencing	scope:	eq	version:	7.1\(2\)	Trust: 1.6
vendor:	cisco	model:	unified meetingplace web conferencing	scope:	eq	version:	6.0_base	Trust: 1.6
vendor:	cisco	model:	unified meetingplace web conferencing	scope:	eq	version:	7.0\(2\)	Trust: 1.6
vendor:	cisco	model:	unified meetingplace web conferencing	scope:	eq	version:	8.5\(4\)	Trust: 1.6
vendor:	cisco	model:	unified meetingplace web conferencing	scope:	eq	version:	8.0\(2\)	Trust: 1.6
vendor:	cisco	model:	unified meetingplace web conferencing	scope:	eq	version:	8.5\(3\)	Trust: 1.6
vendor:	cisco	model:	unified meetingplace web conferencing	scope:	eq	version:	7.0\(1\)	Trust: 1.0
vendor:	cisco	model:	unified meetingplace web conferencing	scope:	eq	version:	8.5\(2\)	Trust: 1.0
vendor:	cisco	model:	unified meetingplace web conferencing	scope:	eq	version:	8.5\(1\)	Trust: 1.0
vendor:	cisco	model:	unified meetingplace web conferencing	scope:	eq	version:	7.1\(1\)	Trust: 1.0
vendor:	cisco	model:	unified meetingplace web conferencing	scope:	eq	version:	8.5\(2\)_sr2	Trust: 1.0
vendor:	cisco	model:	unified meetingplace web conferencing	scope:	eq	version:	8.5\(2\)_sr1	Trust: 1.0
vendor:	cisco	model:	unified meetingplace web conferencing	scope:	eq	version:	8.0\(1\)	Trust: 1.0
vendor:	cisco	model:	unified meetingplace web conferencing	scope:	eq	version:	8.6(2)	Trust: 0.8
vendor:	cisco	model:	unified meetingplace web conferencing	scope:	eq	version:	8.5(5) mr3	Trust: 0.8
vendor:	cisco	model:	unified meetingplace web conferencing	scope:	lt	version:	8.6	Trust: 0.8
vendor:	cisco	model:	unified meetingplace web conferencing	scope:	lt	version:	8.5	Trust: 0.8

sources: JVNDB: JVNDB-2015-003926 // CNNVD: CNNVD-201507-737 // NVD: CVE-2015-4262

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-4262
value:	HIGH
Trust: 1.0
NVD:	CVE-2015-4262
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201507-737
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-82223
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2015-4262
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-82223
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-82223 // JVNDB: JVNDB-2015-003926 // CNNVD: CNNVD-201507-737 // NVD: CVE-2015-4262

PROBLEMTYPE DATA

problemtype:

CWE-255

Trust: 1.9

sources: VULHUB: VHN-82223 // JVNDB: JVNDB-2015-003926 // NVD: CVE-2015-4262

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201507-737

TYPE

trust management

Trust: 0.6

sources: CNNVD: CNNVD-201507-737

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-003926

PATCH

title:	cisco-sa-20150722-mp	url:	http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150722-mp	Trust: 0.8
title:	39989	url:	http://tools.cisco.com/security/center/viewAlert.x?alertId=39989	Trust: 0.8
title:	cisco-sa-20150722-mp	url:	http://www.cisco.com/cisco/web/support/JP/113/1130/1130212_cisco-sa-20150722-mp-j.html	Trust: 0.8

sources: JVNDB: JVNDB-2015-003926

EXTERNAL IDS

db:	NVD	id:	CVE-2015-4262	Trust: 2.8
db:	SECTRACK	id:	1033024	Trust: 1.1
db:	BID	id:	75996	Trust: 1.0
db:	JVNDB	id:	JVNDB-2015-003926	Trust: 0.8
db:	CNNVD	id:	CNNVD-201507-737	Trust: 0.7
db:	VULHUB	id:	VHN-82223	Trust: 0.1

sources: VULHUB: VHN-82223 // BID: 75996 // JVNDB: JVNDB-2015-003926 // CNNVD: CNNVD-201507-737 // NVD: CVE-2015-4262

REFERENCES

url:	http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20150722-mp	Trust: 2.0
url:	http://www.securitytracker.com/id/1033024	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-4262	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-4262	Trust: 0.8
url:	http://www.securityfocus.com/bid/75996	Trust: 0.6
url:	http://www.cisco.com/en/us/products/sw/ps5664/ps5669/products_tech_note09186a00807ed970.shtml	Trust: 0.3

sources: VULHUB: VHN-82223 // BID: 75996 // JVNDB: JVNDB-2015-003926 // CNNVD: CNNVD-201507-737 // NVD: CVE-2015-4262

CREDITS

Cisco

Trust: 0.9

sources: BID: 75996 // CNNVD: CNNVD-201507-737

SOURCES

db:	VULHUB	id:	VHN-82223
db:	BID	id:	75996
db:	JVNDB	id:	JVNDB-2015-003926
db:	CNNVD	id:	CNNVD-201507-737
db:	NVD	id:	CVE-2015-4262

LAST UPDATE DATE

2024-11-23T22:45:56.767000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-82223	date:	2017-09-21T00:00:00
db:	BID	id:	75996	date:	2015-07-22T00:00:00
db:	JVNDB	id:	JVNDB-2015-003926	date:	2015-07-27T00:00:00
db:	CNNVD	id:	CNNVD-201507-737	date:	2015-07-31T00:00:00
db:	NVD	id:	CVE-2015-4262	date:	2024-11-21T02:30:43.680

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-82223	date:	2015-07-24T00:00:00
db:	BID	id:	75996	date:	2015-07-22T00:00:00
db:	JVNDB	id:	JVNDB-2015-003926	date:	2015-07-27T00:00:00
db:	CNNVD	id:	CNNVD-201507-737	date:	2015-07-24T00:00:00
db:	NVD	id:	CVE-2015-4262	date:	2015-07-24T14:59:02.227