Full Disclosure mailing list archives

Re: Cisco Unified Operations Manager Multiple Vulnerabilities - SOS-11-006

From: Cisco Systems Product Security Incident Response Team <psirt () cisco com>
Date: Wed, 18 May 2011 11:02:12 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello,

This is the Cisco PSIRT response to the vulnerabilities that were
discovered and reported to Cisco Systems by Brett Gervasoni of Sense of
Security, regarding multiple vulnerabilities in Cisco Unified Operations
Manager (CuOM).

We greatly appreciate the opportunity to work with researchers on
security vulnerabilities and welcome the opportunity to review and
assist in product reports.

These vulnerabilities are documented in the following Cisco bug IDs and
Intellishield vulnerability alerts:

* CSCtn61716: XSS and SQL Blind Vulnerabilities in Cisco Unified
Operations Manager

Intellishield vulnerability alerts:

SQL Blind Injection:

http://tools.cisco.com/security/center/viewAlert.x?alertId=23085

CuOM XSS Vulnerabilities:

http://tools.cisco.com/security/center/viewAlert.x?alertId=23086

* CSCto12704: Reflected Cross Site Scripting into ServerHelpEngine
servlet

Intellishield vulnerability alert:

http://tools.cisco.com/security/center/viewAlert.x?alertId=23088

* CSCto12712: XSS vulnerability in CuOM Device Center

Intellishield vulnerability alert:

http://tools.cisco.com/security/center/viewAlert.x?alertId=23087

* CSCto35577: Directory Traversal vulnerabilities in CWHP

Intellishield vulnerability alert:

http://tools.cisco.com/security/center/viewAlert.x?alertId=23089


Information related to affected software versions and fixed software are
available in the published Intellishield vulnerability alerts and the
Cisco Bug ID release note enclosures.

Cisco PSIRT

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iF4EAREIAAYFAk3T3YwACgkQQXnnBKKRMNA3lwD8DFK3dw5Gc5ZsGbajYDc0YuGx
nGeYOvu2Hcp1gDBrFvcA/1DcbqvNMwMf0+04qWpUWSD+ckwfIh7LmNROFONwBCEI
=ypJ9
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Cisco Unified Operations Manager Multiple Vulnerabilities - SOS-11-006 Lists (May 17)
- <Possible follow-ups>
- Re: Cisco Unified Operations Manager Multiple Vulnerabilities - SOS-11-006 Cisco Systems Product Security Incident Response Team (May 18)