Cisco fixes vulnerabilities in Unified MeetingPlace
Cisco's Unified MeetingPlace voice, video and web conferencing solution contains several holes that allow attackers to compromise vulnerable systems. In a current advisory, the vendor describes an SQL injection hole which can be exploited to manipulate or spy out database contents.
Furthermore, specially crafted URLs can apparently be used for setting up new user accounts without requiring the attacker to sign in beforehand. Other flaws in the authentication protocol allow attackers to manipulate transmitted packets to spy out user names and passwords or even obtain admin privileges.
Versions 5, 6 and 7 of Cisco Unified MeetingPlace are affected, although not all of the vulnerabilities are present in every version. The vendor has released updates to fix the problems – but only for registered customers.
See also:
- Multiple Vulnerabilities in Cisco Unified MeetingPlace, security advisory from Cisco.
(crve)