CVE-2015-4684

Name of the Vulnerable Software and Affected Versions Polycom RealPresence Resource Manager versions prior to 8.4

Description The issue allows remote authenticated users to read arbitrary files and remote authenticated administrators to upload arbitrary files. This can be achieved through various parameters in different requests, including the Modifier parameter to /PlcmRmWeb/FileDownload, the Filename or SE FNAME parameter to /PlcmRmWeb/FileUpload, and the filePathName parameter in an importSipUriReservations SOAP request to /PlcmRmWeb/JUserManager.

Recommendations For versions prior to 8.4, update to version 8.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the /PlcmRmWeb/FileDownload, /PlcmRmWeb/FileUpload, and /PlcmRmWeb/JUserManager endpoints to minimize the risk of exploitation. Additionally, restrict the use of the Modifier, Filename, SE FNAME, and filePathName parameters in these endpoints until the issue is resolved.