CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 0CVE-2018-0439 – Cisco Meeting Server Cross-Site Request Forgery Vulnerability
https://notcve.org/view.php?id=CVE-2018-0439
A vulnerability in the web-based management interface of Cisco Meeting Server could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a customized link. A successful exploit could allow the attacker to perform arbitrary actions on an affected device by using a web browser and with the privileges of the user. Una vulnerabilidad en la interfaz de gestión basada en web de Cisco Meeting Server podría permitir que un atacante remoto sin autenticar lleve a cabo un ataque de Cross-Site Request Forgery (CSRF) y realice acciones arbitrarias en un dispositivo afectado. • http://www.securityfocus.com/bid/105287 http://www.securitytracker.com/id/1041680 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-meeting-csrf • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.4EPSS: 0%CPEs: 2EXPL: 0CVE-2018-0263
https://notcve.org/view.php?id=CVE-2018-0263
A vulnerability in Cisco Meeting Server (CMS) could allow an unauthenticated, adjacent attacker to access services running on internal device interfaces of an affected system. The vulnerability is due to incorrect default configuration of the device, which can expose internal interfaces and ports on the external interface of the system. A successful exploit could allow the attacker to gain unauthenticated access to configuration and database files and sensitive meeting information on an affected system. This vulnerability affects Cisco Meeting Server (CMS) 2000 Platforms that are running a CMS Software release prior to Release 2.2.13 or Release 2.3.4. Cisco Bug IDs: CSCvg76471. • http://www.securityfocus.com/bid/104419 http://www.securitytracker.com/id/1041065 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-cms-id • CWE-16: Configuration CWE-1188: Initialization of a Resource with an Insecure Default •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2018-0280
https://notcve.org/view.php?id=CVE-2018-0280
A vulnerability in the Real-Time Transport Protocol (RTP) bitstream processing of the Cisco Meeting Server could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to insufficient input validation of incoming RTP bitstreams. An attacker could exploit this vulnerability by sending a crafted RTP bitstream to an affected Cisco Meeting Server. A successful exploit could allow the attacker to deny audio and video services by causing media process crashes resulting in a DoS condition on the affected product. This vulnerability affects Cisco Meeting Server deployments that are running Cisco Meeting Server Software Releases 2.0, 2.1, 2.2, and 2.3. • http://www.securityfocus.com/bid/104209 http://www.securitytracker.com/id/1040923 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180516-msms • CWE-20: Improper Input Validation •
CVSS: 8.1EPSS: 3%CPEs: 6EXPL: 0CVE-2018-0262
https://notcve.org/view.php?id=CVE-2018-0262
A vulnerability in Cisco Meeting Server could allow an unauthenticated, remote attacker to gain unauthorized access to components of, or sensitive information in, an affected system, leading to Remote Code Execution. The vulnerability is due to incorrect default configuration of the device, which can expose internal interfaces and ports on the external interface of the system. A successful exploit could allow the attacker to gain unauthenticated access to configuration and database files as well as sensitive meeting information on an affected system. Additionally, if the Traversal Using Relay NAT (TURN) service is enabled and utilizing Transport Layer Security (TLS) connections, an attacker could utilize TURN credentials to forward traffic to device daemons, allowing for remote exploitation. This vulnerability affects Cisco Meeting Server (CMS) Acano X-series platforms that are running a CMS Software release prior to 2.2.11. • http://www.securityfocus.com/bid/104079 http://www.securitytracker.com/id/1040819 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180502-cms-cx • CWE-16: Configuration •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-12362
https://notcve.org/view.php?id=CVE-2017-12362
A vulnerability in Cisco Meeting Server versions prior to 2.2.2 could allow an authenticated, remote attacker to cause the system to reload, resulting in a denial of service (DoS) condition. The vulnerability is due to video calls being made on systems with a particular configuration. An attacker could exploit this by knowing a valid URI that directs to a Cisco Meeting Server. An attacker could then make a video call and cause the system to reload. Cisco Bug IDs: CSCve65931. • http://www.securityfocus.com/bid/101987 http://www.securitytracker.com/id/1039913 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-cms • CWE-399: Resource Management Errors •