Cisco Unified MeetingPlace Multiple Session Weaknesses

high Nessus Plugin ID 70078

Synopsis

The remote web server is running a conferencing application with multiple session weaknesses.

Description

According to its self-reported version number, the installation of Cisco Unified MeetingPlace hosted on the remote web server may be affected by multiple session weaknesses :

- The application fails to invalidate a session upon a logout action, which makes it easier for remote attackers to hijack sessions by leveraging knowledge of a session cookie. (CVE-2013-1168)

- When the 'Remember Me' option is used, the application fails to properly verify cookies, which may allow an unauthenticated, remote attacker to impersonate users via crafted login requests. (CVE-2013-1169)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number. Additionally, the coarse nature of the version information Nessus gathered is not enough to confirm that the application is vulnerable, only that it might be affected.

Solution

Upgrade to 7.1MR1 Patch 2 / 8.0MR1 Patch 2 / 8.5MR3 Patch 1 or later.

See Also

http://www.nessus.org/u?bec0e8b8

Plugin Details

Severity: High

ID: 70078

File Name: cisco-sa-20130410-mp.nasl

Version: 1.11

Type: remote

Family: CISCO

Published: 9/23/2013

Updated: 6/4/2024

Supported Sensors: Nessus

Enable CGI Scanning: true

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 6.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: cpe:/a:cisco:unified_meetingplace

Required KB Items: installed_sw/Cisco Unified MeetingPlace

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No known exploits are available

Patch Publication Date: 4/10/2013

Vulnerability Publication Date: 4/10/2013

Reference Information

CVE: CVE-2013-1168, CVE-2013-1169

BID: 59006, 59014