Detections
Analytics

Cisco TelePresence Conductor REST API Server-Side Request Forgery Vulnerability

medium Nessus Plugin ID 128176

Language:

Synopsis

The remote Cisco TelePresence Conductor device is affected by a command injection vulnerability.

Description

According to its self-reported version number, remote Cisco TelePresence Conductor device is affected by a server-side request forgery vulnerability which could allow an authenticated, remote attacker to trigger an HTTP request from an affected server to an arbitrary host.

Note that an attacker must be authenticated before the device is exposed to this exploit.

Solution

Upgrade to version XC4.3.4 or later.

See Also

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvn339873

http://www.nessus.org/u?ee44583b

Plugin Details

Severity: Medium

ID: 128176

File Name: cisco_telepresence_conductor_CSCvn51692.nasl

Version: 1.3

Type: combined

Family: CISCO

Published: 8/27/2019

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 1.6

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N

CVSS Score Source: CVE-2019-1679

CVSS v3

Risk Factor: Medium

Base Score: 5

Temporal Score: 4.4

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:cisco:telepresence_conductor

Required KB Items: Host/Cisco_TelePresence_Conductor/Version

Exploit Ease: No known exploits are available

Patch Publication Date: 2/6/2019

Vulnerability Publication Date: 2/6/2019

Reference Information

CVE: CVE-2019-1679