Cisco Unified MeetingPlace Web Conference Multiple Cross Site Scripting Vulnerabilities

Bugtraq ID:	25237
Class:	Input Validation Error
CVE:	CVE-2007-4284
Remote:	Yes
Local:	No
Published:	Aug 08 2007 12:00AM
Updated:	May 07 2015 05:36PM
Credit:	Roger Jefferiss is credited with the discovery of these vulnerabilities.
Vulnerable:	Cisco Unified MeetingPlace Web Conference 5.3.104.3 Cisco Unified MeetingPlace Web Conference 5.3.104.0 Cisco Unified MeetingPlace Web Conference 4.3.0.246.5 Cisco Unified MeetingPlace Web Conference 4.3.0.246
Not Vulnerable:	Cisco Unified MeetingPlace Web Conference 5.3.447 Cisco Unified MeetingPlace Web Conference 6.0.639.4 Cisco Unified MeetingPlace Web Conference 6.0.170.0 Cisco Unified MeetingPlace Web Conference 5.4.70.0 Cisco Unified MeetingPlace Web Conference 5.3.447.4 Cisco Unified MeetingPlace Web Conference 5.3.333.0

Cisco Unified MeetingPlace Web Conference Multiple Cross Site Scripting Vulnerabilities

Cisco Unified MeetingPlace Web Conference is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied data.

Exploiting this issue may help the attacker steal cookie-based authentication credentials and launch other attacks.

These issues are being monitored by Cisco bug ID CSCsi33940 and CSCtd69750.

Update June 24, 2010: Security scanners may still flag the 'STPL' and 'FTPL' parameters as vulnerable. The vendor is documenting this issue in Cisco bug ID CSCtd69750.

Cisco Unified MeetingPlace Web Conference Multiple Cross Site Scripting Vulnerabilities

An attacker can exploit these issues by enticing an unsuspecting user to follow a malicious URI.

Cisco Unified MeetingPlace Web Conference Multiple Cross Site Scripting Vulnerabilities

Solution:
The vendor released an update to address these issues. Please see the references for more information.

Cisco Unified MeetingPlace Web Conference Multiple Cross Site Scripting Vulnerabilities

References:

• Cisco Unified MeetingPlace Home Page (Cisco )
  
• Cisco Security Response: Cisco Unified MeetingPlace XSS Vulnerability (Cisco)
  
• XSS vulnerability in Cisco MeetingPlace ([email protected])
  
• Cross-site scripting vulnerability in Cisco MeetingPlace (Cisco)