CVE-2017-6629

Name of the Vulnerable Software and Affected Versions Cisco Unity Connection version 10.5(2)

Description A vulnerability could allow an unauthenticated, remote attacker to access files in arbitrary locations on the filesystem of an affected device. The issue is due to improper sanitization of user-supplied input in HTTP POST parameters that describe filenames, specifically the ImageID parameter. An attacker could exploit this by using directory traversal techniques to submit a path to a desired file location.

Recommendations For Cisco Unity Connection version 10.5(2), consider restricting access to the ImageID parameter in HTTP POST requests until a patch is available. As a temporary workaround, avoid using the ImageID parameter to minimize the risk of exploitation.