Cisco Unified MeetingPlace SQL Injection and Cross Site Scripting Vulnerabilities

Bugtraq ID:	53431
Class:	Input Validation Error
CVE:	CVE-2012-0337
Remote:	Yes
Local:	No
Published:	Apr 18 2012 12:00AM
Updated:	Nov 01 2012 04:30PM
Credit:	The vendor reported these issues.
Vulnerable:	Cisco Unified MeetingPlace Web Conferencing 7.0 Cisco Unified MeetingPlace Web Conferencing 6.0 Cisco Unified MeetingPlace 6.0.639 .3 Cisco Unified MeetingPlace 6.0.639 .2 Cisco Unified MeetingPlace 7.1 Cisco Unified MeetingPlace 7.0(2.3) hotfix 5F Cisco Unified MeetingPlace 7 Cisco Unified MeetingPlace 6
Not Vulnerable:	Cisco Unified MeetingPlace 7.1.2 6 (MR1)

Cisco Unified MeetingPlace SQL Injection and Cross Site Scripting Vulnerabilities

Cisco Unified MeetingPlace is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability.

Exploiting these vulnerabilities could allow an attacker to execute arbitrary script code, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Cisco Unified MeetingPlace versions prior to 7.1.2.6 (MR1) are affected.

Cisco Unified MeetingPlace SQL Injection and Cross Site Scripting Vulnerabilities

Attackers can use a browser to exploit the SQL-injection issue. The attacker must trick an unsuspecting user into following a malicious URI in order to exploit the cross-site scripting issue.

Cisco Unified MeetingPlace SQL Injection and Cross Site Scripting Vulnerabilities

Solution:
Updates are available. Please see the references for details.

Cisco Unified MeetingPlace SQL Injection and Cross Site Scripting Vulnerabilities

References:

• Cisco Unified MeetingPlace Home Page (Cisco )
  
• Release Notes for Cisco Unified MeetingPlace Release 7.1 (Cisco)