CVE-2019-1854

Name of the Vulnerable Software and Affected Versions Cisco Expressway Series (affected versions not specified) Cisco TelePresence Video Communication Server (affected versions not specified)

Description A vulnerability in the management web interface could allow an authenticated, remote attacker to perform a directory traversal attack against an affected device. The issue is due to insufficient input validation on the web interface. An attacker could exploit this by sending a crafted HTTP request to the web interface, potentially bypassing security restrictions and accessing the web interface of a Cisco Unified Communications Manager associated with the affected device. Valid credentials would still be required to access the Cisco Unified Communications Manager interface.

Recommendations For Cisco Expressway Series, consider restricting access to the management web interface until a fix is available. For Cisco TelePresence Video Communication Server, restrict access to the web interface to minimize the risk of exploitation. As a temporary workaround, consider disabling access to sensitive directories and paths to prevent directory traversal attacks.