CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-1676 – Cisco Meeting Server SIP Processing Denial of Service Vulnerability
https://notcve.org/view.php?id=CVE-2019-1676
A vulnerability in the Session Initiation Protocol (SIP) call processing of Cisco Meeting Server (CMS) software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition of the Cisco Meeting Server. The vulnerability is due to insufficient validation of Session Description Protocol (SDP) messages. An attacker could exploit this vulnerability by sending a crafted SDP message to the CMS call bridge. An exploit could allow the attacker to cause the CMS to reload, causing a DoS condition for all connected clients. Versions prior to 2.3.9 are affected. • http://www.securityfocus.com/bid/106909 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190206-meeting-sipdos • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 0CVE-2018-0439 – Cisco Meeting Server Cross-Site Request Forgery Vulnerability
https://notcve.org/view.php?id=CVE-2018-0439
A vulnerability in the web-based management interface of Cisco Meeting Server could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a customized link. A successful exploit could allow the attacker to perform arbitrary actions on an affected device by using a web browser and with the privileges of the user. Una vulnerabilidad en la interfaz de gestión basada en web de Cisco Meeting Server podría permitir que un atacante remoto sin autenticar lleve a cabo un ataque de Cross-Site Request Forgery (CSRF) y realice acciones arbitrarias en un dispositivo afectado. • http://www.securityfocus.com/bid/105287 http://www.securitytracker.com/id/1041680 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-meeting-csrf • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-0359
https://notcve.org/view.php?id=CVE-2018-0359
A vulnerability in the session identification management functionality of the web-based management interface for Cisco Meeting Server could allow an unauthenticated, local attacker to hijack a valid user session identifier, aka Session Fixation. The vulnerability exists because the affected application does not assign a new session identifier to a user session when a user authenticates to the application. An attacker could exploit this vulnerability by using a hijacked session identifier to connect to the application through the web-based management interface. A successful exploit could allow the attacker to hijack an authenticated user's browser session. Cisco Bug IDs: CSCvi23787. • http://www.securityfocus.com/bid/104583 http://www.securitytracker.com/id/1041174 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-cms-sf • CWE-384: Session Fixation •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-0371
https://notcve.org/view.php?id=CVE-2018-0371
A vulnerability in the Web Admin Interface of Cisco Meeting Server could allow an authenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to insufficient validation of incoming HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to the Web Admin Interface of an affected Cisco Meeting Server. A successful exploit could allow the attacker to restart the system, terminating all ongoing calls and resulting in a DoS condition on the affected product. This vulnerability affects the following releases of Cisco Meeting Server: Acano X-Series, Cisco Meeting Server 1000, Cisco Meeting Server 2000. • http://www.securityfocus.com/bid/104582 http://www.securitytracker.com/id/1041175 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-meeting-server-dos • CWE-20: Improper Input Validation •
CVSS: 7.4EPSS: 0%CPEs: 2EXPL: 0CVE-2018-0263
https://notcve.org/view.php?id=CVE-2018-0263
A vulnerability in Cisco Meeting Server (CMS) could allow an unauthenticated, adjacent attacker to access services running on internal device interfaces of an affected system. The vulnerability is due to incorrect default configuration of the device, which can expose internal interfaces and ports on the external interface of the system. A successful exploit could allow the attacker to gain unauthenticated access to configuration and database files and sensitive meeting information on an affected system. This vulnerability affects Cisco Meeting Server (CMS) 2000 Platforms that are running a CMS Software release prior to Release 2.2.13 or Release 2.3.4. Cisco Bug IDs: CSCvg76471. • http://www.securityfocus.com/bid/104419 http://www.securitytracker.com/id/1041065 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-cms-id • CWE-16: Configuration CWE-1188: Initialization of a Resource with an Insecure Default •