332 replies to this topic

[AplusWebMaster]

FYI...

> http://tools.cisco.c...cationListing.x

Multiple Vulnerabilities in Cisco Unified Computing System
- http://tools.cisco.c...130424-ucsmulti
2013 April 24 - "Summary:
Managed and standalone Cisco Unified Computing System (UCS) deployments contain one or more of the vulnerabilities:
- Cisco Unified Computing System LDAP User Authentication Bypass Vulnerability
- Cisco Unified Computing System IPMI Buffer Overflow Vulnerability
- Cisco Unified Computing Management API Denial of Service Vulnerability
- Cisco Unified Computing System Information Disclosure Vulnerability
- Cisco Unified Computing System KVM Authentication Bypass Vulnerability
Cisco has released free software updates that address these vulnerabilities..."
- http://tools.cisco.c...x?alertId=28729
CVE: CVE-2013-1182, CVE-2013-1183, CVE-2013-1184, CVE-2013-1185, CVE-2013-1186
- https://secunia.com/advisories/53188/
Release Date: 2013-04-25
Criticality level: Moderately critical
Impact: Security Bypass, DoS, System access
Where: From local network...

Cisco Device Manager Command Execution Vulnerability
- http://tools.cisco.c...a-20130424-fmdm
2013 April 24 - "Summary: Cisco Device Manager contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands on a client host with the privileges of the user. This vulnerability affects Cisco Device Manager for the Cisco MDS 9000 Family and Cisco Nexus 5000 Series Switches when it is installed or launched via the Java Network Launch Protocol (JNLP) on a host running Microsoft Windows... Cisco has released free software updates that address this vulnerability in the Cisco Device Manager for Cisco MDS 9000 Family Switches. Cisco Nexus 5000 Series Switches have discontinued the support of the Cisco Device Manager installation via JNLP and updates are not available. Workarounds that mitigate this vulnerability are available..."
- https://web.nvd.nist...d=CVE-2013-1192 - 9.3 (HIGH)
- https://secunia.com/advisories/53190/
Release Date: 2013-04-25
Criticality level: Highly critical
Impact: System access
Where: From remote...

Multiple Vulnerabilities in Cisco NX-OS-Based Products
- http://tools.cisco.c...30424-nxosmulti
2013 April 24 - "Summary:
Cisco Nexus, Cisco Unified Computing Systemn (UCS), Cisco MDS 9000 Series Multilayer Switches, and Cisco 1000 Series Connected Grid Routers (CGR) are all based on the Cisco NX-OS operating system. These products are affected by one or more of the following vulnerabilities:
- Multiple Cisco Discovery Protocol Vulnerabilities in Cisco NX-OS-Based Products
- Cisco NX-OS Software SNMP and License Manager Buffer Overflow Vulnerability
- Cisco NX-OS Software SNMP Buffer Overflow Vulnerability
- Cisco NX-OS Software Jumbo Packet Denial of Service Vulnerability
Cisco has released free software updates that address these vulnerabilities..."
Revision 1.2 - 2013-April-26 - Updated summary table in Affected Products for clarification. Corrected UCS 6100/6200 information for jumbo frame vulnerability in summary table.
- http://tools.cisco.c...x?alertId=28737
CVE: CVE-2013-1178, CVE-2013-1179, CVE-2013-1180, CVE-2013-1181
- https://secunia.com/advisories/53189/
Release Date: 2013-04-25
Criticality level: Moderately critical
Impact: DoS, System access
Where: From local network...

Edited by AplusWebMaster, 28 April 2013 - 08:21 AM.

[AplusWebMaster]

FYI...

- http://tools.cisco.c...cationListing.x

Cisco Prime Data Center Network Manager Remote Command Execution Vuln
- http://tools.cisco.c...a-20121031-dcnm
Last Updated: 2013 May 8 Revision 2.0 - "Summary: Cisco Prime Data Center Network Manager (DCNM) contains a remote command execution vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands on the computer that is running the Cisco Prime DCNM application. Cisco has released free software updates that address this vulnerability...
- Revision 2.0 - 2013-May-08 - Updated advisory to indicate that the DCNM LAN server component of DNCM is also affected by this vulnerability. Added corresponding Cisco bug ID CSCua31204 and updated fixed software..."

Multiple Vulnerabilities in Cisco Unified Customer Voice Portal Software
- http://tools.cisco.c...sa-20130508-cvp
2013 May 8 Revision 1.0 - "Summary: Cisco Unified Customer Voice Portal Software (Unified CVP) contains multiple vulnerabilities. Various components of Cisco Unified CVP are affected; see the "Details" section for more information on the vulnerabilities. These vulnerabilities can be exploited independently; however, more than one vulnerability could be exploited on the same device. Cisco has released free software updates that address these vulnerabilities..."

[AplusWebMaster]

FYI...

- https://tools.cisco....cationListing.x

Cisco TelePresence Supervisor MSE 8050 DoS vuln
- http://tools.cisco.c...sa-20130515-mse
2013 May 15 Revision 1.0 - "Cisco TelePresence Supervisor MSE 8050 contains a vulnerability that may allow an unauthenticated, remote attacker to cause high CPU utilization and a reload of the affected system. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available..."

- https://secunia.com/advisories/53388/
Release Date: 2013-05-16
Impact: DoS
Where: From local network
CVE Reference: https://web.nvd.nist...d=CVE-2013-1236 - 7.8 (HIGH)
... vulnerability is reported in versions 2.2(1.17) and prior.
Solution: Update to version 2.3(1.31).
___

Multiple Vulnerabilities in Cisco Unified Customer Voice Portal Software
- http://tools.cisco.c...sa-20130508-cvp
2013 May 10 Revision 1.1 - "Cisco Unified Customer Voice Portal Software (Unified CVP) contains multiple vulnerabilities. Various components of Cisco Unified CVP are affected; see the "Details" section for more information on the vulnerabilities. These vulnerabilities can be exploited independently; however, more than one vulnerability could be exploited on the same device. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available..."
Revision 1.1 - 2013-May-10 - Updated Workaround and Software Versions sections.

Edited by AplusWebMaster, 16 May 2013 - 10:16 PM.

[AplusWebMaster]

FYI...

Multiple Vulnerabilities in Cisco ASA Software
- http://tools.cisco.c...sa-20130410-asa
Last Updated 2013 May 23 - "... Successful exploitation of any of these vulnerabilities may result in a reload of an affected device, leading to a denial of service (DoS) condition.
Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of these vulnerabilities..."
Affected Products: Cisco ASA Software for Cisco ASA 5500 Series Adaptive Security Appliances, Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, and Cisco ASA 1000V Cloud Firewall are affected by multiple vulnerabilities. Affected versions of Cisco ASA Software will vary depending on the specific vulnerability. Consult the "Software Versions and Fixes" section of this security advisory for more information about the affected versions.
Cisco PIX Security Appliances may be affected by some of the vulnerabilities described in this security advisory. Cisco PIX has reached the End of Software Maintenance Releases milestone. Cisco PIX Security Appliance customers are encouraged to migrate to Cisco ASA 5500 Series Adaptive Security Appliances.
Revision 1.1 - 2013-May-23 - Made Cisco ASA Software release 9.1(2) the recommended 9.1.x release because the previous 9.1.x recommended release (9.1.1.4) was reported to be unstable in certain configurations. This instability issue is fixed in release 9.1(2).

[AplusWebMaster]

FYI...

- http://tools.cisco.c...cationListing.x

Cisco TelePresence TC and TE Software - Multiple Vulnerabilities
- http://tools.cisco.c...sa-20130619-tpc
Revision 1.0 / 2013 June 19 - "Summary: Cisco TelePresence TC and TE Software contain two vulnerabilities in the implementation of the Session Initiation Protocol (SIP) that could allow an unauthenticated remote attacker to cause a denial of service (DoS) condition. Additionally, Cisco TelePresence TC Software contain an adjacent root access vulnerability that could allow an attacker on the same physical or logical Layer-2 network as the affected system to gain an unauthenticated root shell. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate the Cisco TelePresence TC and TE Software SIP Denial of Service vulnerabilities are available..."
CVE-2013-3377, CVE-2013-3378, CVE-2013-3379
___

Cisco Unified Computing System - Multiple Vulnerabilities
- http://tools.cisco.c...130424-ucsmulti
Revision 1.2 / 2013 June 6 - "Summary: Managed and standalone Cisco Unified Computing System (UCS) deployments contain one or more of the vulnerabilities:
- Cisco Unified Computing System LDAP User Authentication Bypass Vulnerability
- Cisco Unified Computing System IPMI Buffer Overflow Vulnerability
- Cisco Unified Computing Management API Denial of Service Vulnerability
- Cisco Unified Computing System Information Disclosure Vulnerability
- Cisco Unified Computing System KVM Authentication Bypass Vulnerability
Cisco has released free software updates that address these vulnerabilities..."
CVE-2013-1182, CVE-2013-1183, CVE-2013-1184, CVE-2013-1185, CVE-2013-1186
Revision 1.2 - 2013-June-06: Updated software availability status for first generation (C200/C2210/C250) UCS Stand Alone servers.

Edited by AplusWebMaster, 20 June 2013 - 06:05 AM.

[AplusWebMaster]

FYI...

- http://tools.cisco.c...cationListing.x

Cisco Web Security Appliance - multiple vulns
- http://tools.cisco.c...sa-20130626-wsa
Revision 1.0 / 2013 June 26 - Summary: Cisco IronPort AsyncOS Software for Cisco Web Security Appliance is affected by the following vulnerabilities:
- Two authenticated command injection vulnerabilities
- Management GUI Denial of Service Vulnerability
These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of any of the two command injection vulnerabilities could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system with elevated privileges.
Successful exploitation of the Management GUI Denial of Service Vulnerability could cause several critical processes to become unresponsive and make the affected system unstable. Cisco has released free software updates that address these vulnerabilities...

Cisco ASA Next-Generation Firewall - DoS vuln
- http://tools.cisco.c...a-20130626-ngfw
Revision 1.0 / 2013 June 26 - Summary: Cisco ASA Next-Generation Firewall (NGFW) Services contains a Fragmented Traffic Denial of Service (DoS) vulnerability. Successful exploitation of this vulnerability on the Cisco ASA NGFW could cause the device to reload or stop processing user traffic that has been redirected by the parent Cisco ASA to the ASA NGFW module for further inspection. There are no workarounds for this vulnerability, but mitigations are available. Cisco has released free software updates that address this vulnerability...

Cisco Content Security Management Appliance - multiple vulns
- http://tools.cisco.c...sa-20130626-sma
Revision 1.0 / 2013 June 26 - Summary: Cisco IronPort AsyncOS Software for Cisco Content Security Management Appliance is affected by the following vulnerabilities:
- Web Framework Authenticated Command Injection Vulnerability
- IronPort Spam Quarantine Denial of Service Vulnerability
- Management GUI Denial of Service Vulnerability
These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the Web Framework Authenticated Command Injection Vulnerability could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system with elevated privileges.
Successful exploitation of either of the two denial of service vulnerabilities could cause several critical processes to become unresponsive and make the affected system unstable. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available...

Cisco Email Security Appliance - multiple vulns
- http://tools.cisco.c...sa-20130626-esa
Revision 1.0 / 2013 June 26 - Summary: Cisco IronPort AsyncOS Software for Cisco Email Security Appliance is affected by the following vulnerabilities:
- Web Framework Authenticated Command Injection Vulnerability
- IronPort Spam Quarantine Denial of Service Vulnerability
- Management GUI Denial of Service Vulnerability
Successful exploitation of the Web Framework Authenticated Command Injection Vulnerability could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system with elevated privileges. Successful exploitation of either of the two denial of service vulnerabilities may cause several critical processes to become unresponsive and make the affected system unstable. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available...

[AplusWebMaster]

FYI...

Cisco Intrusion Prevention System Software - multiple vulns
- http://tools.cisco.c...sa-20130717-ips
2013 July 17 - "Summary: Cisco Intrusion Prevention System (IPS) Software is affected by the following vulnerabilities:
- Cisco IPS Software Malformed IP Packets Denial of Service Vulnerability
- Cisco IPS Software Fragmented Traffic Denial of Service Vulnerability
- Cisco IPS NME Malformed IP Packets Denial of Service Vulnerability
- Cisco IDSM-2 Malformed TCP Packets Denial of Service Vulnerability
The Cisco IPS Software Malformed IP Packets Denial of Service Vulnerability could allow an unauthenticated, remote attacker to cause the MainApp process to become unresponsive. The Cisco IPS Software Fragmented Traffic Denial of Service Vulnerability could allow an unauthenticated, remote attacker to cause the Analysis Engine process to become unresponsive due to memory corruption or could cause the reload of the affected system. The Cisco IPS NME Malformed IP Packets Denial of Service Vulnerability could allow an unauthenticated, remote attacker to cause a reload of a Cisco Intrusion Prevention System Network Module Enhanced (IPS NME). The Cisco IDSM-2 Malformed TCP Packets Denial of Service Vulnerability could allow an unauthenticated, remote attacker to cause the kernel of the Cisco Catalyst 6500 Series Intrusion Detection System (IDSM-2) Module to become unresponsive. Successful exploitation of any of these vulnerabilities could result in a denial of service (DoS) condition. Cisco has released free software updates that address all the vulnerabilities in this advisory with the exception of the Cisco IDSM-2 Malformed TCP Packets Denial of Service Vulnerability. Customers running a vulnerable version of the Cisco IDSM-2 Module should refer to the "Workarounds" section of this advisory for available mitigations. Workarounds that mitigate the Cisco IPS Software Fragmented Traffic Denial of Service Vulnerability and Cisco IDSM-2 Malformed TCP Packets Denial of Service Vulnerability are available..."
See: Affected Products, Workarounds

CVE References:
- https://web.nvd.nist...d=CVE-2013-1218 - 7.8 (HIGH)
- https://web.nvd.nist...d=CVE-2013-1243 - 7.8 (HIGH)
- https://web.nvd.nist...d=CVE-2013-3410 - 7.8 (HIGH)
- https://web.nvd.nist...d=CVE-2013-3411 - 7.8 (HIGH)
___

Cisco Unified Communications Manager - multiple vulns
- http://tools.cisco.c...a-20130717-cucm
2013 July 17 - "Summary: Cisco Unified Communications Manager (Unified CM) contains multiple vulnerabilities that could be used together to allow an unauthenticated, remote attacker to gather user credentials, escalate privileges, and execute commands to gain full control of the vulnerable system. A successful attack could allow an unauthenticated attacker to access, create or modify information in Cisco Unified CM. On June 6, 2013, a French security firm, Lexfo, delivered a public presentation on VoIP security that included a demonstration of multiple vulnerabilities used to compromise Cisco Unified CM. During the presentation, the researchers demonstrated a multistaged attack that chained a number of vulnerabilities, which resulted in a complete compromise of the Cisco Unified CM server. The attack chain used the following types of vulnerabilities:
- Blind Structured Query Language (SQL) injection
- Command injection
- Privilege escalation
Cisco PSIRT greatly appreciates the opportunity to work with researchers on security vulnerabilities and welcomes the opportunity to review and assist in product reports. Cisco has released a Cisco Options Package (COP) file that addresses three of the vulnerabilities documented in this advisory. Cisco is currently investigating the remaining vulnerabilities. Workarounds that mitigate these vulnerabilities are not available..."

- https://secunia.com/advisories/54249/
2013-07-18
CVE Reference(s):
- https://web.nvd.nist...d=CVE-2013-3402 - 6.5
- https://web.nvd.nist...d=CVE-2013-3403 - 6.8
- https://web.nvd.nist...d=CVE-2013-3404 - 6.4
- https://web.nvd.nist...d=CVE-2013-3412 - 6.5
- https://web.nvd.nist...d=CVE-2013-3433 - 6.8
- https://web.nvd.nist...d=CVE-2013-3434 - 6.8

- https://www.us-cert....rity-Advisories
July 18, 2013

Edited by AplusWebMaster, 18 July 2013 - 12:11 PM.

[AplusWebMaster]

FYI...

- http://tools.cisco.c...cationListing.x

Cisco Video Surveillance Mgr - multiple vulns
- http://tools.cisco.c...sa-20130724-vsm
2013 July 24 - "Summary: The Cisco Video Surveillance Manager (VSM) allows operations managers and system integrators to build customized video surveillance networks to meet their needs. Cisco VSM provides centralized configuration, management, display, and control of video from Cisco and third-party surveillance endpoints. Multiple security vulnerabilities exist in versions of Cisco VSM prior to 7.0.0, which may allow an attacker to gain full administrative privileges on the system... Cisco has released software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available..."

- http://www.securityt....com/id/1028827
CVE Reference: CVE-2013-3429, CVE-2013-3430, CVE-2013-3431
Jul 24 2013
Impact: Disclosure of system information, Modification of system information
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes ...
Solution: The vendor has issued a fix (7.0.1)...

[AplusWebMaster]

FYI...

- http://tools.cisco.c...cationListing.x

Authenticated Command Injection Vuln in multiple Cisco Content Network and Video Delivery Products
- http://tools.cisco.c...-sa-20130731-cm
2013 July 31 - "Summary: Multiple Cisco content network and video delivery products contain a vulnerability when they are configured to run in central management mode. This vulnerability could allow an authenticated but unprivileged, remote attacker to execute arbitrary code on the affected system and on the devices managed by the affected system. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available..."
- http://www.securityt....com/id/1028852
- http://www.securityt....com/id/1028853
___

Cisco WAAS Central Manager Remote Code Execution Vuln
- http://tools.cisco.c...20130731-waascm
2013 July 31 - "Summary: Cisco Wide Area Application Services (WAAS) when configured as Central Manager (CM), contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the affected system. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available..."
- http://www.securityt....com/id/1028851
___

Cisco Unified Customer Voice Portal Software ...
- http://tools.cisco.c...sa-20130508-cvp
Revision 1.2 - Last Updated 2013 July 30 - Added location of patches for 8.x releases...

[AplusWebMaster]

FYI...

Cisco - OSPF LSA Manipulation vuln in multiple products
- http://tools.cisco.c...0130801-lsaospf
2013 August 1 - "Summary: Multiple Cisco products are affected by a vulnerability involving the Open Shortest Path First (OSPF) Routing Protocol Link State Advertisement (LSA) database. This vulnerability could allow an unauthenticated attacker to take full control of the OSPF Autonomous System (AS) domain routing table, blackhole traffic, and intercept traffic. The attacker could trigger this vulnerability by injecting crafted OSPF packets. Successful exploitation could cause flushing of the routing table on a targeted router, as well as propagation of the crafted OSPF LSA type 1 update throughout the OSPF AS domain... Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available..."
(See "Affected Products" at the URL above.)

Cisco PIX Firewall OSPF...
- http://www.securityt....com/id/1028858
Solution: The vendor has issued a fix (8.4.6.5, 9.0.3, 9.1.2.5)...

Cisco Firewall Services Module OSPF...
- http://www.securityt....com/id/1028859

Cisco NX-OS OSPF...
- http://www.securityt....com/id/1028860

Cisco ASR Router OSPF...
- http://www.securityt....com/id/1028861

Cisco ASA OSPF...
- http://www.securityt....com/id/1028862

Cisco IOS OSPF...
- http://www.securityt....com/id/1028863
Solution: The vendor has issued a fix.
A patch matrix is available in the vendor's advisory...

[AplusWebMaster]

FYI...

- http://tools.cisco.c...cationListing.x

Cisco TelePresence System Default Credentials vuln
- http://tools.cisco.c...-sa-20130807-tp
Revision 1.2 - 2013-August-09 - Changes to "Vulnerable Products"/"Software Versions and Fixes" sections

Cisco OSPF LSA Manipulation vuln in multiple products
- http://tools.cisco.c...0130801-lsaospf
Revision 1.1 - 2013-August-05 - Fixed broken links

[AplusWebMaster]

FYI...

- http://tools.cisco.c...cationListing.x

Cisco Unified Communications Manager - multiple vulns
- http://tools.cisco.c...a-20130821-cucm
2013 August 21 - "Summary: Cisco Unified Communications Manager (Unified CM) contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to modify data, execute arbitrary commands, or cause a denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities..."
- http://www.securityt....com/id/1028938
CVE Reference: CVE-2013-3459, CVE-2013-3460, CVE-2013-3461, CVE-2013-3462
Aug 21 2013
Impact: Denial of service via network, Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 7.1(x) ,8.5(x) ,8.6(x), 9.0(x), 9.1(x)...

Cisco Unified Communications Manager IM and Presence Service DoS vuln
- http://tools.cisco.c...sa-20130821-cup
2013 August 21 - "Summary: Cisco Unified Communications Manager IM and Presence Service contains a denial of service (DoS) vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. Exploitation of this vulnerability could cause an interruption of presence services. Cisco has released free software updates that address this vulnerability. There are no workarounds available to mitigate exploitation of this vulnerability..."
- http://www.securityt....com/id/1028937
CVE Reference: CVE-2013-3453
Aug 21 2013
Impact: Denial of service via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 9.1(2)...

Cisco Prime Central for Hosted Collaboration Solution Assurance DoS vuln
- http://tools.cisco.c...sa-20130821-hcm
2013 August 21 - "Summary: Cisco Prime Central for Hosted Collaboration Solution (HCS) Assurance contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. Exploitation of these vulnerabilities could interrupt the monitoring of voice services and exhaust system resources. Cisco has released free software updates that address these vulnerabilities..."
- http://www.securityt....com/id/1028936
CVE Reference: CVE-2013-3387, CVE-2013-3388, CVE-2013-3389, CVE-2013-3390
Aug 21 2013
Impact: Denial of service via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 9.1 and prior...

[AplusWebMaster]

FYI...

- http://tools.cisco.c...cationListing.x

Cisco Secure Access Control Server Remote Command Execution vuln
- http://tools.cisco.c...sa-20130828-acs
2013 August 28 - "Summary: A vulnerability in the EAP-FAST authentication module of Cisco Secure Access Control Server (ACS) versions 4.0 through 4.2.1.15 could allow an unauthenticated, remote attacker to execute arbitrary commands on the Cisco Secure ACS server. This vulnerability is only present when Cisco Secure ACS is configured as a RADIUS server. The vulnerability is due to improper parsing of user identities used for EAP-FAST authentication. An attacker could exploit this vulnerability by sending crafted EAP-FAST packets to an affected device. An exploit could allow the attacker to execute arbitrary commands on the Cisco Secure ACS server and take full control of the affected server. There are no workarounds for this vulnerability.
Cisco has released free software updates that address this vulnerability..."
- https://secunia.com/advisories/54610/
Release Date: 2013-08-29
Criticality: Moderately Critical
Where: From local network
Impact: System access
Software: Cisco Secure ACS 4.x
CVE Reference: https://web.nvd.nist...d=CVE-2013-3466 - 9.3 (HIGH)
... vulnerability is reported in versions 4.0 through 4.2.1.15 running on Windows.
Solution: Update to version 4.2.1.15.11.
Original Advisory: Cisco (CSCui57636):
http://tools.cisco.c...sa-20130828-acs

Cisco Unified Customer Voice Portal Software - multiple vulns
- http://tools.cisco.c...sa-20130508-cvp
Revision 1.3 / 2013-August-28 / Updated Workarounds section.

Edited by AplusWebMaster, 29 August 2013 - 09:18 PM.

[AplusWebMaster]

FYI...

- http://tools.cisco.c...cationListing.x

Cisco WebEx Recording Format and Advanced Recording Format Players - multiple vulns
- http://tools.cisco.c...-20130904-webex
2013 September 4 - "Summary: Multiple buffer overflow vulnerabilities exist in the Cisco WebEx Recording Format (WRF) and Advanced Recording Format (ARF) Players. Exploitation of these vulnerabilities could allow a remote attacker to crash an affected player, and in some cases, could allow a remote attacker to execute arbitrary code on the system of a targeted user. The Cisco WebEx Players are applications that are used to play back WebEx meeting recordings that have been recorded on the computer of an on-line meeting attendee. The players can be automatically installed when the user accesses a recording file that is hosted on a WebEx server. Cisco has updated affected versions of the Cisco WebEx Business Suite meeting sites, Cisco WebEx 11 meeting sites, Cisco WebEx Meetings Server, and Cisco WebEx WRF and ARF Players to address these vulnerabilities. Cisco has released free software updates that address these vulnerabilities.. there are no workarounds for the vulnerabilities detailed in this advisory...."
- http://www.securityt....com/id/1028975
CVE Reference:
- https://web.nvd.nist...d=CVE-2013-1115 - 9.3 (HIGH)
- https://web.nvd.nist...d=CVE-2013-1116 - 9.3 (HIGH)
- https://web.nvd.nist...d=CVE-2013-1117 - 9.3 (HIGH)
- https://web.nvd.nist...d=CVE-2013-1118 - 9.3 (HIGH)
- https://web.nvd.nist...d=CVE-2013-1119 - 9.3 (HIGH)
Sep 4 2013
Impact: Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Solution: The vendor has issued a fix:
Cisco WebEx Business Suite (WBS28) client builds T28.8 (28.8 ) or later
Cisco WebEx Business Suite (WBS27) client builds 27.32.16 (T27LDSP32EP16) or later
Cisco WebEx 11 1.2.6.0 (1.2 SP6) builds T28.8 (28.8 ) or later ...

- https://secunia.com/advisories/54724/
Release Date: 2013-09-05
Criticality: Highly Critical
Where: From remote
Impact: System access
Solution Status: Vendor Patch
CVE Reference(s): CVE-2013-1115, CVE-2013-1116, CVE-2013-1117, CVE-2013-1118, CVE-2013-1119
Solution: Update to version 28.8 or 27.32.16.
Original Advisory:
http://tools.cisco.c...-20130904-webex
http://tools.cisco.c...x?alertId=30533
http://tools.cisco.c...x?alertId=30534

Edited by AplusWebMaster, 06 September 2013 - 11:15 AM.

[AplusWebMaster]

FYI...

- http://tools.cisco.c...cationListing.x

Cisco Prime Data Center Network Manager - Multiple Vulnerabilities
- http://tools.cisco.c...a-20130918-dcnm
2013 September 18 - "Summary: Cisco Prime Data Center Network Manager (DCNM) contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to disclose file components, and access text files on an affected device. Various components of Cisco Prime DCNM are affected. These vulnerabilities can be exploited independently on the same device; however, a release that is affected by one of the vulnerabilities may not be affected by the others. Cisco Prime DCNM is affected by the following vulnerabilities:
- Cisco Prime DCNM Information Disclosure Vulnerability
- Cisco Prime DCNM Remote Command Execution Vulnerabilities
- Cisco Prime DCNM XML External Entity Injection Vulnerability
Cisco has released free software updates that address these vulnerabilities. There are currently no workarounds that mitigate these vulnerabilities..."
Revision 1.1 - 2013-Sep-19 ...Updated "Software Versions and Fixes" section
- http://www.securityt....com/id/1029049
CVE Reference: CVE-2013-5486, CVE-2013-5487, CVE-2013-5490
Sep 18 2013
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Root access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 4.1, 4.2, 5.0, 5.1, 5.2, 6.1 ...
Solution: The vendor has issued a fix (6.2(3))...
___

Cisco Prime Central for Hosted Collaboration Solution (HCS) Assurance vuln
- http://tools.cisco.c...-sa-20130918-pc
2013 September 18 - "Summary: A vulnerability in the web framework of Cisco Prime Central for Hosted Collaboration Solution (HCS) Assurance could allow an unauthenticated, remote attacker to access sensitive information on the system. The vulnerability is due to improper user authentication and inadequate session management. An unauthenticated, remote attacker could exploit this vulnerability by submitting a crafted HTTP request to the web user interface. Successful exploitation of this vulnerability may reveal sensitive information, including user credentials. Cisco has released a free software update that addresses this vulnerability. There are currently no workarounds that mitigate this vulnerability..."
- http://www.securityt....com/id/1029050
CVE Reference: CVE-2013-3473
Sep 18 2013
Impact: Disclosure of authentication information
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 1.0.1, 1.1 ...
Solution: The vendor has issued a fix (9.1.1)...

Edited by AplusWebMaster, 20 September 2013 - 09:32 AM.