Cisco Security Response: Cisco TelePresence Video Communication Server Cross-Site Scripting Vulnerability
Version(s): VCS prior to 7.0
A vulnerability was reported in Cisco TelePresence Video Communication Server. A remote user can conduct cross-site scripting attacks.
A vulnerability exists in Cisco TelePresence Video Communication Server (VCS) due to improper validation of user-controlled input to the web-based administrative interface. User-controlled input supplied to the login page via the HTTP User-Agent header is not properly sanitized for illegal or malicious content prior to being returned to the user in dynamically generated web content. A remote attacker could exploit this vulnerability to perform reflected cross-site scripting attacks.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Cisco TelePresence software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Cisco TelePresence Video Communication Server Software versions earlier than X7.0 are affected. This vulnerability has been corrected in Cisco TelePresence Video Communication Server Software version X7.0.