// For flags

CVE-2015-4328

 

Severity Score

4.0
*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.2 improperly checks for a user account's read-only attribute, which allows remote authenticated users to execute arbitrary OS commands via crafted HTTP requests, as demonstrated by read or write operations on the Unified Communications lookup page, aka Bug ID CSCuv12552.

Vulnerabilidad en Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.2, no verifica adecuadamente el atributo de solo lectura para las cuentas de usuario, lo cual permite a usuarios remotos autenticados ejecutar arbitrariamente comandos del SO a través de peticones HTTP manipuladas, como quedó demostrado en las operaciones de lectura y escritura en la página de búsqueda de Unified Communications, también conocido como Bug ID CSCuv12552.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2015-06-04 CVE Reserved
  • 2015-08-20 CVE Published
  • 2023-03-08 EPSS Updated
  • 2024-08-06 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-20: Improper Input Validation
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Cisco
Search vendor "Cisco"
 Telepresence Video Communication Server Software
Search vendor "Cisco" for product "Telepresence Video Communication Server Software"
 x8.5.2
Search vendor "Cisco" for product "Telepresence Video Communication Server Software" and version "x8.5.2"
expressway
Affected