Unauthorized Password Change in Cisco Unified MeetingPlace Web Conferencing
CVE-2015-4262

Currently unrated

Key Information:

Vendor: Cisco
Status: Unified Meetingplace Web Conferencing
Vendor: CVE Published:; 24 July 2015

Summary

The password-change functionality in Cisco Unified MeetingPlace Web Conferencing versions prior to 8.5(5) MR3 and 8.6 before 8.6(2) is flawed, as it does not verify the session ID or mandate entry of the current password. This security weakness allows remote attackers to craft HTTP requests that can reset user passwords arbitrarily.

References

http://tools.cisco.com/security/center/content/CiscoSecur...

vendor-advisoryx_refsource_CISCO

http://www.securitytracker.com/id/1033024

vdb-entryx_refsource_SECTRACK

Timeline

Vulnerability published
Jul 24, 2015
Vulnerability Reserved
Jun 4, 2015