Cisco CallManager versions prior to 4.3(1), 4.2(3), 4.1(3)SR4 and 3.3(5)SR3 contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary script in the user's browser session. The vulnerability exists due to improper input sanitization in the CallManager Administration web interface and the CallManager User Options web interface. An attacker could exploit the vulnerability by convincing a user to follow a link designed to pass malicious script code to a vulnerable parameter. This could allow the attacker to execute arbitrary script code in the user's browser session in the context of the affected site. Proof-of-concept code is available. Cisco has confirmed this vulnerability with a security response but patches are not yet available. In order to exploit this vulnerability, an attacker must have an IP address and port number for an affected CallManager server. This will require social engineering or an inside attacker in most cases. However, should the vulnerable interfaces be exposed directly to the Internet, an attacker could determine the address. The attacker would still need to convince a user of one of these systems to execute a crafted link.
Cisco CallManager versions prior to 4.3(1), 4.2(3), 4.1(3)SR4 and 3.3(5)SR3 contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary script in the user's browser session.
The vulnerability exists due to improper input sanitization in the CallManager Administration web interface and the CallManager User Options web interface. An attacker could exploit the vulnerability by convincing a user to follow a link designed to pass malicious script code to a vulnerable parameter. This could allow the attacker to execute arbitrary script code in the user's browser session in the context of the affected site.
Proof-of-concept code is available.
Cisco has confirmed this vulnerability with a security response but patches are not yet available.
In order to exploit this vulnerability, an attacker must have an IP address and port number for an affected CallManager server. This will require social engineering or an inside attacker in most cases. However, should the vulnerable interfaces be exposed directly to the Internet, an attacker could determine the address. The attacker would still need to convince a user of one of these systems to execute a crafted link.
Cisco has re-released a security response regarding Cisco Bug ID CSCsb68657 at the following link: Cisco-SR-20060619-ccmxss
The following are vulnerable:
Cisco CallManager 4.3(1)
Cisco CallManager 4.2 prior to 4.2(3.1)
Cisco CallManager 4.1 prior to 4.1(3)SR4
Cisco CallManager 3.3 prior to 3.3(5)SR3
Cisco CallManager 3.2 and later
Cisco CallManager 3.1 and later
Users are advised not to click on links from untrusted sources.
Users are advised not to enter CallManager authentication information except when they have gone directly to the site requiring such credentials.
Administrators are advised to protect all CallManager web interfaces from outside access by use of a sound firewall strategy.
Administrators are advised to treat local configuration details as sensitive information and not to allow it to fall into the hands of untrusted individuals. This includes both CallManager configuration details and the internal addresses of CallManager servers.
Administrators are advised to contact Cisco for information regarding updated versions that resolve this vulnerability.
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
| Version | Description | Section | Status | Date |
| 1.0 | Initial Release | NA | Final | 2006-Jun-19 |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.
Vulmon