SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Cisco Video Surveillance Software Vendors:   Cisco
Cisco Video Surveillance Manager Bugs Let Remote Users Obtain Potentially Sensitive Information
SecurityTracker Alert ID:  1028827
SecurityTracker URL:  http://securitytracker.com/id/1028827
CVE Reference:   CVE-2013-3429, CVE-2013-3430, CVE-2013-3431   (Links to External Site)
Date:  Jul 24 2013
Impact:   Disclosure of system information, Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   Two vulnerabilities were reported in Cisco Video Surveillance Manager. A remote user can obtain potentially sensitive information and modify some configuration settings.

A remote user can supply a specially crafted URL to access sensitive system files [CVE-2013-3429]. The vendor has assigned bug ID CSCsv37163 to this vulnerability.

A remote user can access pages that do not require authentication, including configuration, monitoring pages archives, and system logs [CVE-2013-3430, CVE-2013-3431]. A remote user can exploit this to create, modify, and remove camera feeds, archives, logs, and users. The vendor has assigned bug IDs CSCsv37288 and CSCsv40169 to this vulnerability.

Basem Saleh reported these vulnerabilities.

Impact:   A remote user can obtain potentially sensitive information.

A remote user can create, modify, and remove camera feeds, archives, logs, and users.

Solution:   The vendor has issued a fix (7.0.1).

The vendor's advisory is available at:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130724-vsm

Vendor URL:  tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130724-vsm (Links to External Site)
Cause:   Access control error
Underlying OS:  

Message History:   None.


 Source Message Contents

Date:  Wed, 24 Jul 2013 12:05:37 -0400
Subject:  [Full-disclosure] Cisco Security Advisory: Multiple Vulnerabilities in the Cisco Video Surveillance Manager

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Cisco Security Advisory: Multiple Vulnerabilities in the Cisco Video Surveillance Manager

Advisory ID: cisco-sa-20130724-vsm

Revision 1.0

For Public Release 2013 July 24 16:00  UTC (GMT)

+---------------------------------------------------------------------

Summary
=======

The Cisco Video Surveillance Manager (VSM) allows operations managers and system integrators to build customized video surveillance networks to meet their needs. Cisco VSM provides centralized configuration, management, display, and control of video from Cisco and third-party surveillance endpoints. Multiple security vulnerabilities exist in versions of Cisco VSM prior to 7.0.0, which may allow an attacker to gain full administrative privileges on the system.

More information on Cisco VSM can be found at http://www.cisco.com/en/US/products/ps10818/index.html.

Cisco has released software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.

This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130724-vsm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)

iF4EAREKAAYFAlHv3iUACgkQUddfH3/BbTrV2wD8DLMSP/vWdottEKUxbtuV1oQ+
tq7vz7Be9Q5mKn74ZsoA/1R7qkDcrmeKQTuBky432DtScteMcfbys0vD9pcQYoqU
=HloY
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC