Cisco Unified MeetingPlace Web Page Source Code Remote Password Disclosure (CSCuu33050)

medium Nessus Plugin ID 84726

Synopsis

The remote web server is running a conferencing application that is affected by an information disclosure vulnerability.

Description

According to its self-reported version number, the Cisco Unified MeetingPlace application hosted on the remote web server is potentially affected by an information disclosure vulnerability due to improper handling of passwords. An authenticated, remote attacker can obtain plaintext passwords by viewing the source code of certain HTML pages.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. Additionally, the coarse nature of the version information Nessus gathered is not enough to confirm that the application is vulnerable, only that it might be affected.

Solution

Upgrade to version 8.6(2.5) or greater.

Alternatively, contact the vendor regarding the patch for Cisco bug ID CSCuu33050.

See Also

http://www.nessus.org/u?851bfd29

https://tools.cisco.com/bugsearch/bug/CSCuu33050

Plugin Details

Severity: Medium

ID: 84726

File Name: cisco-CSCuu33050-mp.nasl

Version: 1.5

Type: remote

Family: CISCO

Published: 7/14/2015

Updated: 6/12/2020

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N

Vulnerability Information

CPE: cpe:/a:cisco:unified_meetingplace

Required KB Items: Settings/ParanoidReport, installed_sw/Cisco Unified MeetingPlace

Exploit Ease: No known exploits are available

Patch Publication Date: 6/23/2015

Vulnerability Publication Date: 6/23/2015

Reference Information

CVE: CVE-2015-4214

BID: 75380

CISCO-BUG-ID: CSCuu33050