Vigil@nce - Cisco Unified MeetingPlace: Cross Site Request Forgery of URL API
June 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can trigger a Cross Site Request Forgery in URL API of
Cisco Unified MeetingPlace, in order to force the victim to
perform operations.
– Impacted products: Cisco Unified Meeting Place
– Severity: 2/4
– Creation date: 22/04/2015
DESCRIPTION OF THE VULNERABILITY
The Cisco Unified MeetingPlace product offers a web service.
However, the origin of queries in the URL API is not checked. They
can for example originate from an image included in an HTML
document.
An attacker can therefore trigger a Cross Site Request Forgery in
URL API of Cisco Unified MeetingPlace, in order to force the
victim to perform operations.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN