CVE-2015-4319 - OpenCVE

The password-change feature in the administrative web interface in Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.1 improperly performs authorization, which allows remote authenticated users to reset arbitrary active-user passwords via unspecified vectors, aka Bug ID CSCuv12338.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:N/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Cisco	Telepresence Video Communication Server Software

Configuration 1 [-]

cpe:2.3:a:cisco:telepresence_video_communication_server_software:x8.5.1:*:*:*:expressway:*:*:*

References

Link	Resource
http://tools.cisco.com/security/center/viewAlert.x?alertId=40442	Vendor Advisory
http://www.securityfocus.com/bid/76366	Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1033323	Third Party Advisory VDB Entry

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: cisco

Published: 2015-08-20T10:00:00

Updated: 2016-12-20T16:57:01

Reserved: 2015-06-04T00:00:00

Link: CVE-2015-4319

JSON object: View

NVD Information

Status : Analyzed

Published: 2015-08-20T10:59:08.903

Modified: 2017-01-04T18:04:21.423

Link: CVE-2015-4319

JSON object: View

Redhat Information

No data.

CWE

CWE-255

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-08-14T00:00:00", "descriptions": [{"lang": "en", "value": "The password-change feature in the administrative web interface in Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.1 improperly performs authorization, which allows remote authenticated users to reset arbitrary active-user passwords via unspecified vectors, aka Bug ID CSCuv12338."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-12-20T16:57:01", "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco"}, "references": [{"name": "76366", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/76366"}, {"name": "1033323", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1033323"}, {"name": "20150814 Cisco TelePresence Video Communication Server Expressway Access Vulnerability", "tags": ["vendor-advisory", "x_refsource_CISCO"], "url": "http://tools.cisco.com/security/center/viewAlert.x?alertId=40442"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@cisco.com", "ID": "CVE-2015-4319", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The password-change feature in the administrative web interface in Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.1 improperly performs authorization, which allows remote authenticated users to reset arbitrary active-user passwords via unspecified vectors, aka Bug ID CSCuv12338."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "76366", "refsource": "BID", "url": "http://www.securityfocus.com/bid/76366"}, {"name": "1033323", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1033323"}, {"name": "20150814 Cisco TelePresence Video Communication Server Expressway Access Vulnerability", "refsource": "CISCO", "url": "http://tools.cisco.com/security/center/viewAlert.x?alertId=40442"}]}}}}, "cveMetadata": {"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "assignerShortName": "cisco", "cveId": "CVE-2015-4319", "datePublished": "2015-08-20T10:00:00", "dateReserved": "2015-06-04T00:00:00", "dateUpdated": "2016-12-20T16:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cisco:telepresence_video_communication_server_software:x8.5.1:*:*:*:expressway:*:*:*", "matchCriteriaId": "E66073CB-E4BF-458F-B645-5EFA5FB3067D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The password-change feature in the administrative web interface in Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.1 improperly performs authorization, which allows remote authenticated users to reset arbitrary active-user passwords via unspecified vectors, aka Bug ID CSCuv12338."}, {"lang": "es", "value": "Vulnerabilidad en la funcionalidad de cambio de contrase\u00f1a en la interfaz web administrativa en Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.1, realiza autorizaci\u00f3n inadecuadamente, lo que permite a usuarios remotos autenticados resetear contrase\u00f1as arbitrarias de usuarios activos a trav\u00e9s de vectores no especificados, tambi\u00e9n conocida como Bug ID CSCuv12338."}], "id": "CVE-2015-4319", "lastModified": "2017-01-04T18:04:21.423", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 5.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-08-20T10:59:08.903", "references": [{"source": "ykramarz@cisco.com", "tags": ["Vendor Advisory"], "url": "http://tools.cisco.com/security/center/viewAlert.x?alertId=40442"}, {"source": "ykramarz@cisco.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/76366"}, {"source": "ykramarz@cisco.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1033323"}], "sourceIdentifier": "ykramarz@cisco.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-255"}], "source": "nvd@nist.gov", "type": "Primary"}]}