Account Enumeration Flaw in Cisco Unified Communications Manager IM and Presence Service
CVE-2014-8000

Currently unrated

Key Information:

Vendor: Cisco
Status: Unified Communications Manager Im And Presence Service
Vendor: CVE Published:; 21 November 2014

Summary

The Cisco Unified Communications Manager IM and Presence Service version 9.1(1) has a security flaw that allows remote attackers to enumerate user accounts. This occurs due to inconsistent responses generated by the service for URL requests based on the existence of a username. By exploiting this vulnerability, attackers can send a sequence of requests to identify valid usernames on the system, leading to potential account compromise.

References

http://tools.cisco.com/security/center/viewAlert.x?alertI...

x_refsource_CONFIRM

http://tools.cisco.com/security/center/content/CiscoSecur...

vendor-advisoryx_refsource_CISCO

http://secunia.com/advisories/62558

third-party-advisoryx_refsource_SECUNIA

Timeline

Vulnerability published
Nov 21, 2014
Vulnerability Reserved
Oct 8, 2014