Vigil@nce - Cisco Unity Express: Cross Site Request Forgery
February 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can trigger several Cross Site Request Forgery in
Cisco Unity Express, in order to launch operations in the context
of the web site.
Impacted products: Cisco Unity
Severity: 2/4
Creation date: 04/02/2013
Revision date: 05/02/2013
DESCRIPTION OF THE VULNERABILITY
The Cisco Unity Express uses a web site.
However, the /Web/SA/SaveConfiguration.do page accepts queries
coming from another site. For example, the "RELOAD" command
restarts the product.
An attacker can therefore trigger several Cross Site Request
Forgery in Cisco Unity Express, in order to launch operations in
the context of the web site.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Cisco-Unity-Express-Cross-Site-Request-Forgery-12371