PT-2019-1382 · Cisco · Cisco Expressway Series+2
Published
2019-02-06
·
Updated
2023-03-23
·
CVE-2019-1679
CVSS v3.1
5.0
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Cisco TelePresence Conductor versions prior to XC4.3.4
Cisco Expressway Series versions prior to XC4.3.4
Cisco TelePresence Video Communication Server versions prior to XC4.3.4
Description
The issue is related to insufficient access controls for the REST API, allowing an authenticated, remote attacker to trigger an HTTP request from an affected server to an arbitrary host, which is known as server-side request forgery (SSRF). This can be exploited by submitting a crafted HTTP request to the affected server.
Recommendations
For Cisco TelePresence Conductor versions prior to XC4.3.4, update to version XC4.3.4 or later.
For Cisco Expressway Series versions prior to XC4.3.4, update to version XC4.3.4 or later.
For Cisco TelePresence Video Communication Server versions prior to XC4.3.4, update to version XC4.3.4 or later.
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cisco Expressway Series
Cisco Telepresence Conductor
Cisco Telepresence Video Communication Server