CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:N/A:P
EPSS
Percentile
61.3%
A vulnerability in the Call Policy Configuration page of the Cisco TelePresence Video Communication Server (VCS) Expressway could allow an authenticated, remote attacker to cause a denial of service (DoS) condition or read arbitrary files on an affected system.
The vulnerability is due to insufficient validation of declared document type definitions (DTD) stored externally. An attacker could exploit this vulnerability by supplying a specially crafted XML file to the targeted system. An exploit could allow the attacker to launch a denial of service attack or read arbitrary files.
Cisco has confirmed the vulnerability; however, software updates are not available.
To exploit this vulnerability, an attacker must authenticate to the targeted device. This access requirement reduces the likelihood of a successful exploit.
Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.
Vendor | Product | Version | CPE |
---|---|---|---|
cisco | telepresence_video_communication_server | any | cpe:2.3:a:cisco:telepresence_video_communication_server:any:*:*:*:expressway:*:*:* |