CVE-2010-0642

Name of the Vulnerable Software and Affected Versions Cisco Collaboration Server (CCS) version 5

Description The issue allows remote attackers to read the source code of JHTML files by manipulating URL encoded characters in the filename extension. This can be achieved through various methods, including changing the .jhtml extension to %2Ejhtml, .jhtm%6C, appending %00, or appending %c0%80 after .jhtml. The affected components include doc/docindex.jhtml, browserId/wizardForm.jhtml, webline/html/forms/callback.jhtml, webline/html/forms/callbackICM.jhtml, webline/html/agent/AgentFrame.jhtml, webline/html/agent/default/badlogin.jhtml, callme/callForm.jhtml, webline/html/multichatui/nowDefunctWindow.jhtml, browserId/wizard.jhtml, admin/CiscoAdmin.jhtml, msccallme/mscCallForm.jhtml, and webline/html/admin/wcs/LoginPage.jhtml.

Recommendations As a temporary workaround, consider restricting access to the affected JHTML files until a patch is available. Avoid using URL encoded characters in the filename extension to minimize the risk of exploitation.