Vigil@nce - Cisco Unified Communications Manager: password disclosure via the Web interface
August 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can get "encrypted" passwords for Cisco Unified
Communications Manager.
Impacted products: Cisco CUCM.
Severity: 2/4.
Creation date: 29/06/2015.
DESCRIPTION OF THE VULNERABILITY
The Cisco Unified Communications Manager product offers a web
service.
However, an attacker can bypass access restrictions to some pages
to retrieve encrypted or hashed passwords.
This vulnerability may have the same origin than
VIGILANCE-VUL-17220.
An attacker can therefore get "encrypted" passwords for Cisco
Unified Communications Manager.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN