Vigil@nce - Cisco Unified Contact Center Express: information disclosure via XMPP
April 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use a default account of Cisco Unified Contact
Center Express, in order to obtain sensitive information.
Impacted products: Cisco Unified CCX.
Severity: 2/4.
Creation date: 03/02/2016.
DESCRIPTION OF THE VULNERABILITY
The Cisco Unified Contact Center Express product offers a XMPP
service.
However, the product installer creates a default account with a
constant, so so well known, password, which is not changeable.
An attacker can therefore use this account of Cisco Unified
Contact Center Express, in order to obtain sensitive information.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN