Session Fixation Vulnerability in Cisco Meeting Server Management Interface
CVE-2018-0359

5.5MEDIUM

Key Information:

Vendor
Cisco
Status
Cisco Meeting Server Unknown
Vendor
CVE Published:
21 June 2018

Summary

A vulnerability exists in the session identification management functionality of Cisco Meeting Server's web-based management interface. This design flaw allows an unauthenticated local attacker to hijack valid user session identifiers, potentially leading to unauthorized access. The application fails to assign a new session identifier during user authentication, leaving sessions vulnerable. An attacker can exploit this flaw by using a hijacked session identifier, allowing them to connect to the application and hijack an authenticated user's browser session, thereby gaining unauthorized access to sensitive data and control.

Affected Version(s)

Cisco Meeting Server unknown Cisco Meeting Server unknown

References

http://www.securityfocus.com/bid/104583
vdb-entryx_refsource_BID
https://tools.cisco.com/security/center/content/CiscoSecu...
x_refsource_CONFIRM
http://www.securitytracker.com/id/1041174
vdb-entryx_refsource_SECTRACK

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.