ByteOS Network

NVD Vulnerability Details :

CVE-2019-1679

Analyzed

Source-ykramarz@cisco.com

Published At-07 Feb, 2019 | 21:29

Updated At-23 Mar, 2023 | 17:33

A vulnerability in the web interface of Cisco TelePresence Conductor, Cisco Expressway Series, and Cisco TelePresence Video Communication Server (VCS) Software could allow an authenticated, remote attacker to trigger an HTTP request from an affected server to an arbitrary host. This type of attack is commonly referred to as server-side request forgery (SSRF). The vulnerability is due to insufficient access controls for the REST API of Cisco Expressway Series and Cisco TelePresence VCS. An attacker could exploit this vulnerability by submitting a crafted HTTP request to the affected server. Versions prior to XC4.3.4 are affected.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.1	5.0	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
Secondary	3.0	5.0	MEDIUM	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
Primary	2.0	4.0	MEDIUM	AV:N/AC:L/Au:S/C:N/I:P/A:N

CPE Matches

Cisco Systems, Inc.

>>telepresence_video_communication_server>>Versions before x12.5(exclusive)

cpe:2.3:a:cisco:telepresence_video_communication_server:*:*:*:*:*:*:*:*

Cisco Systems, Inc.

>>telepresence_conductor>>Versions before xc4.3.4(exclusive)

cpe:2.3:a:cisco:telepresence_conductor:*:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-918	Primary	nvd@nist.gov
CWE-918	Secondary	ykramarz@cisco.com

References

Hyperlink	Source	Resource
http://www.securityfocus.com/bid/106940	ykramarz@cisco.com	Broken Link Third Party Advisory VDB Entry
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190206-rest-api-ssrf	ykramarz@cisco.com	Vendor Advisory

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History