A vulnerability in the web framework of multiple Cisco
TelePresence products could allow an authenticated, remote attacker to inject arbitrary commands that are executed with the privileges of
the root user.

The vulnerability is due to insufficient input
validation. An attacker could exploit this vulnerability by
authenticating to the device and submitting crafted input to the
affected parameter in a web page. Administrative privileges are required
in order to access the affected parameter. A successful exploit could allow an
attacker
to execute system commands with the privileges of the root user.

Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150513-tp

Leave a Reply