Vigil@nce - Cisco Unified Communications Domain Manager: unauthorized access to the "bvsmweb" directory
August 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can view the content of the directory "bvsmweb" in
Cisco Unified Communications Domain Manager, in order to get maybe
sensitive information.
Impacted products: Cisco CUCM.
Severity: 2/4.
Creation date: 30/06/2015.
DESCRIPTION OF THE VULNERABILITY
The Cisco Unified Communications Domain Manager product offers a
web service.
The access to this directory "bvsmweb" in this interface should be
restricted. However, some access checks are missing and the
directory content may be retrieved by any client.
An attacker can therefore view the content of the directory
"bvsmweb" in Cisco Unified Communications Domain Manager, in order
to get maybe sensitive information.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN