==============
This is the Cisco PSIRT response to an issue discovered and reported
to Cisco by Roger Jefferiss and Rob Pope of SecureTest Ltd, UK
regarding cross-site scripting (XSS) vulnerability in Cisco Unified
MeetingPlace Web Conferencing.
The original report is available at the following link:
http://lists.grok.org.uk/pipermail/full-disclosure/2007-August/065134.
html
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco Unified MeetingPlace Web Conferencing
Authentication Bypass Vulnerability
Advisory ID: cisco-sa-20090225-mtgplace
Revision 1.0
PR10-15: Multiple XSS flaws within Mitel's AWC (Mitel Audio and Web
Conferencing)
Vulnerability found: 21st July 2010
Vendor informed: 26th July 2010
Vulnerability fixed:
Severity: High
http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-14
PR10-14 Unauthenticated command execution within Mitel's AWC (Mitel
Audio and Web Conferencing)
Advisory publicly released: Tuesday, 21 December 2010
Vulnerability found: Wednesday, 21 July 2010
Vendor informed: Monday, 26 July 2010
Severity level: High/Critical
Credits
Title: Cisco Unified MeetingPlace Web Conferencing Stored Cross Site Scripting Vulnerability
CVE Identifier: N/A
____________
Credit:
Security Assurance Team of the National Australia Bank.
The vendor was advised of this vulnerability prior to its public release. National Australia Bank adheres to the “Guidelines for Security Vulnerability Reporting and Response V2.0” document when issuing Security Advisories.
==========================================================================
Vendor description:
-------------------
Web conferencing software from Novell. Teaming and conferencing offers a
number of solutions to improve productivity for enterprises, with web
conferencing just one of those solutions.
[source: http://www.novell.com/products/teaming/]
a. Interested speakers will send us their talk details
a. We will post the list of speakers and abstracts online
b. Participants will register for talks and will receive webinar invitations
c. Speakers will broadcast their talks using screencasting / web
conferencing software and invited participants will join in
d. The participants will use IRC / Chat rooms to ask questions to the
speakers during the talks
Cisco Unified MeetingPlace versions 5, 6, and 7 are each affected by
at least one of the vulnerabilities described in this document.
The Cisco Unified MeetingPlace conferencing solution provides
functionality that allows organizations to host integrated voice,
video, and web conferencing. The solution is deployed on-network and
integrated directly into an organization's private voice/data
networks and enterprise applications. Cisco Unified MeetingPlace
servers can be deployed so that the server is accessible from the
Internet, allowing external parties to participate in meetings.
