Cisco Cisco TelePresence Video Communication Server Expressway 릴리즈 노트
Resolved caveats
Cisco TelePresence Video Communication Server X7.0.2 Software Release Notes
Page 13 of 32
Internal
reference
reference
Identifier
Summary
CVE ID CVE-2011-2538 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at
the following URL:
Additional information on Cisco's security vulnerability policy can be found at
the following URL:
86676
CSCtr80205
PHP vulnerabilities CVE-2010-4697 and CVE-2006-7243: previous
releases of Cisco VCS were vulnerable to CVE-2010-4697 and CVE-2006-
7243. Version X7.0 has been upgraded to use php 5.3.5 which has resolved
the issue.
releases of Cisco VCS were vulnerable to CVE-2010-4697 and CVE-2006-
7243. Version X7.0 has been upgraded to use php 5.3.5 which has resolved
the issue.
86985 /
119916
119916
CSCts82540
CSCts80342
CSCts80342
A vulnerability exists in Cisco TelePresence Video Communication Server
(VCS) due to improper validation of user-controlled input to the web-based
administrative interface. User-controlled input supplied to the login page via
the HTTP User-Agent header is not properly sanitized for illegal or malicious
content prior to being returned to the user in dynamically generated web
content. A remote attacker could exploit this vulnerability to perform reflected
cross-site scripting (XSS) attacks.
Billy Hoffman from Zoompf, Inc. discovered this vulnerability and Ben
Feinstein from Dell SecureWorks reported it to Cisco. Cisco greatly
appreciates the opportunity to work with researchers on security
vulnerabilities and welcome the opportunity to review and assist in product
reports.
Cisco TelePresence Video Communication Server Software versions earlier
than X7.0 are affected. This vulnerability has been corrected in Cisco
TelePresence Video Communication Server Software version X7.0.
The Cisco Security Response has been published at:
(VCS) due to improper validation of user-controlled input to the web-based
administrative interface. User-controlled input supplied to the login page via
the HTTP User-Agent header is not properly sanitized for illegal or malicious
content prior to being returned to the user in dynamically generated web
content. A remote attacker could exploit this vulnerability to perform reflected
cross-site scripting (XSS) attacks.
Billy Hoffman from Zoompf, Inc. discovered this vulnerability and Ben
Feinstein from Dell SecureWorks reported it to Cisco. Cisco greatly
appreciates the opportunity to work with researchers on security
vulnerabilities and welcome the opportunity to review and assist in product
reports.
Cisco TelePresence Video Communication Server Software versions earlier
than X7.0 are affected. This vulnerability has been corrected in Cisco
TelePresence Video Communication Server Software version X7.0.
The Cisco Security Response has been published at:
PSIRT Evaluation: the Cisco PSIRT has assigned this bug the following
CVSS version 2 score. The Base and Temporal CVSS scores as of the time
of evaluation are 4.3/4.1:
CVSS version 2 score. The Base and Temporal CVSS scores as of the time
of evaluation are 4.3/4.1:
CVE ID CVE-2011-3294 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at
the following URL:
Additional information on Cisco's security vulnerability policy can be found at
the following URL:
Other
Internal
reference
reference
Identifier
Summary
85593
CSCtr80162
External policy: when editing a policy service under the VCS configuration
> Dial plan > Policy services web page it is not possible to change the
password used for remote authentication. The password can however be
changed via the CLI interface or by deleting and then recreating the whole
policy service with the new password. This issue has now been resolved.
> Dial plan > Policy services web page it is not possible to change the
password used for remote authentication. The password can however be
changed via the CLI interface or by deleting and then recreating the whole
policy service with the new password. This issue has now been resolved.
85692
CSCtr80200
Truncated SNMP object value: the SNMP sysObjectID scalar MIB object
value was being returned truncated by the Cisco VCS. Instead of returning
1.3.6.1.4.1.5596.130.6.4.1 it actually returned 1. This meant that if Cisco
TMS was configured to find devices using SNMP (the default configuration) it
would not discover the Cisco VCS. This issue has now been resolved.
value was being returned truncated by the Cisco VCS. Instead of returning
1.3.6.1.4.1.5596.130.6.4.1 it actually returned 1. This meant that if Cisco
TMS was configured to find devices using SNMP (the default configuration) it
would not discover the Cisco VCS. This issue has now been resolved.
88084
CSCtr80209
Incorrect responses to attempts to communicate with the Cisco VCS on
ports in range 4369–4380: the issue where the Cisco VCS incorrectly
responded with an ISAKMP message if a device attempted to connect to a
VCS port in the range 4369–4380 has been resolved.
ports in range 4369–4380: the issue where the Cisco VCS incorrectly
responded with an ISAKMP message if a device attempted to connect to a
VCS port in the range 4369–4380 has been resolved.
88493
CSCtr80179
Internal server error when unregistering and blocking an alias: resolved