A vulnerability in the Simple Object Access Protocol (SOAP) application programming interface (API) of the Cisco Hosted Collaboration Mediation Fulfillment application could allow an authenticated, remote attacker to obtain sensitive information that should be restricted. The attacker must authenticate as the admin user.
The vulnerability is due to lack of role-based access control (RBAC) in the application. An attacker could exploit this vulnerability by authenticating as the admin user and using the SOAP API to request restricted and sensitive information. An exploit could allow the attacker to obtain a list of customer credentials and other sensitive information.
Cisco has not released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available.
This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151210-hcm