SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Cisco Prime Collaboration Vendors:   Cisco
Cisco Prime Collaboration Provisioning RBAC Failure Lets Remote Authenticated Users Delete Files on the Target System
SecurityTracker Alert ID:  1038514
SecurityTracker URL:  http://securitytracker.com/id/1038514
CVE Reference:   CVE-2017-6635   (Links to External Site)
Date:  May 17 2017
Impact:   Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 11.0
Description:   A vulnerability was reported in Cisco Prime Collaboration Provisioning. A remote authenticated user can delete files on the target system.

The system does not properly validate user-supplied input in HTTP requests and does not apply role-based access controls (RBACs) to requested HTTP URLs.

A remote authenticated user can supply a specially crafted HTTP request containing directory traversal characters to delete arbitrary files on the target system.

The vendor has assigned bug ID CSCvc99597 to this vulnerability.

rgod (via Trend Micro Zero Day Initiative (ZDI)) reported this vulnerability.

Impact:   A remote authenticated user can delete arbitrary files on the target system.
Solution:   The vendor has issued a fix (12.1).

The vendor advisory is available at:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170517-pcp3

Vendor URL:  tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170517-pcp3 (Links to External Site)
Cause:   Access control error, Input validation error

Message History:   None.


 Source Message Contents

Subject:  https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170517-pcp3

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC