Cisco Cisco TelePresence Video Communication Server Expressway 릴리즈 노트
Resolved caveats
Cisco TelePresence Video Communication Server X7.2.4 Software Release Notes
Page 32 of 50
Identifier
Summary
VCS, however Cisco is improving VCS product security by upgrading PHP to the latest
available version.
Additional information about the specific vulnerabilities listed above including condition and
possible workarounds can be found by looking at the description of each CVE-id at :
http://cve.mitre.org/cve/ .
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and
Temporal CVSS scores as of the time of evaluation are 6.8/6.1:
available version.
Additional information about the specific vulnerabilities listed above including condition and
possible workarounds can be found by looking at the description of each CVE-id at :
http://cve.mitre.org/cve/ .
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and
Temporal CVSS scores as of the time of evaluation are 6.8/6.1:
CVE ID CVE-2010-4697, CVE-2006-7243 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following
URL:
Additional information on Cisco's security vulnerability policy can be found at the following
URL:
CSCts82540
CSCts80342
CSCts80342
A vulnerability exists in Cisco TelePresence Video Communication Server (VCS) due to
improper validation of user-controlled input to the web-based administrative interface. User-
controlled input supplied to the login page via the HTTP User-Agent header is not properly
sanitized for illegal or malicious content prior to being returned to the user in dynamically
generated web content. A remote attacker could exploit this vulnerability to perform reflected
cross-site scripting (XSS) attacks.
Billy Hoffman from Zoompf, Inc. discovered this vulnerability and Ben Feinstein from Dell
SecureWorks reported it to Cisco. Cisco greatly appreciates the opportunity to work with
researchers on security vulnerabilities and welcome the opportunity to review and assist in
product reports.
Cisco TelePresence Video Communication Server Software versions earlier than X7.0 are
affected. This vulnerability has been corrected in Cisco TelePresence Video Communication
Server Software version X7.0.
The Cisco Security Response has been published at:
improper validation of user-controlled input to the web-based administrative interface. User-
controlled input supplied to the login page via the HTTP User-Agent header is not properly
sanitized for illegal or malicious content prior to being returned to the user in dynamically
generated web content. A remote attacker could exploit this vulnerability to perform reflected
cross-site scripting (XSS) attacks.
Billy Hoffman from Zoompf, Inc. discovered this vulnerability and Ben Feinstein from Dell
SecureWorks reported it to Cisco. Cisco greatly appreciates the opportunity to work with
researchers on security vulnerabilities and welcome the opportunity to review and assist in
product reports.
Cisco TelePresence Video Communication Server Software versions earlier than X7.0 are
affected. This vulnerability has been corrected in Cisco TelePresence Video Communication
Server Software version X7.0.
The Cisco Security Response has been published at:
PSIRT Evaluation: the Cisco PSIRT has assigned this bug the following CVSS version 2
score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.1:
score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.1:
CVE ID CVE-2011-3294 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following
URL:
Additional information on Cisco's security vulnerability policy can be found at the following
URL:
Other
Identifier
Summary
CSCtr80162
External policy: when editing a policy service under the VCS configuration > Dial plan >
Policy services web page it is not possible to change the password used for remote
authentication. The password can however be changed via the CLI interface or by deleting and
then recreating the whole policy service with the new password.
Policy services web page it is not possible to change the password used for remote
authentication. The password can however be changed via the CLI interface or by deleting and
then recreating the whole policy service with the new password.
CSCtr80200
Truncated SNMP object value: the SNMP sysObjectID scalar MIB object value was being
returned truncated by the Cisco VCS. Instead of returning 1.3.6.1.4.1.5596.130.6.4.1 it actually
returned 1. This meant that if Cisco TMS was configured to find devices using SNMP (the
default configuration) it would not discover the Cisco VCS.
returned truncated by the Cisco VCS. Instead of returning 1.3.6.1.4.1.5596.130.6.4.1 it actually
returned 1. This meant that if Cisco TMS was configured to find devices using SNMP (the
default configuration) it would not discover the Cisco VCS.
CSCtr80209
Incorrect responses to attempts to communicate with the Cisco VCS on ports in range
4369
4369
–4380: the issue where the Cisco VCS incorrectly responded with an ISAKMP message if
a device attempted to connect to a VCS port in the range 4369
–4380 has been resolved.
CSCtr80179
Internal server error when unregistering and blocking an alias: resolved the issue where
use of the Unregister and block button on the Registration details page when using a
Registration Policy of Deny List caused an internal server error.
use of the Unregister and block button on the Registration details page when using a
Registration Policy of Deny List caused an internal server error.
CSCtl98133
Cisco VCS not responding to OLC: resolved the issue where the Cisco VCS was not