Effective October 18, 2011, Cisco has replaced the existing RSS feeds for Cisco Security Advisories. The new RSS feeds for Cisco Security Advisories are available at http://tools.cisco.com/security/center/psirtrss10/CiscoSecurityAdvisory.xml and http://tools.cisco.com/security/center/psirtrss20/CiscoSecurityAdvisory.xml. The existing RSS feeds will continue to function until November 19, 2011. They will not receive updates after this date.
Monthly Archives: October 2011
Buffer Overflow Vulnerabilities in the Cisco WebEx Player
Multiple buffer overflow vulnerabilities exist in the Cisco WebEx Recording Format (WRF) player. In some cases, exploitation of the vulnerabilities could allow a remote attacker to execute arbitrary code on the system with the privileges of a targeted user.
Cisco Unified Contact Center Express Directory Traversal Vulnerability
Cisco Unified Contact Center Express (UCCX or Unified CCX) and Cisco Unified IP Interactive Voice Response (Unified IP-IVR) contain a directory traversal vulnerability that may allow a remote, unauthenticated attacker to retrieve arbitrary files from the filesystem.
Cisco Unified Communications Manager Directory Traversal Vulnerability
Cisco Unified Communications Manager contains a directory traversal vulnerability that may allow an unauthenticated, remote attacker to retrieve arbitrary files from the filesystem.
Denial of Service Vulnerability in Cisco Video Surveillance IP Cameras
A denial of service (DoS) vulnerability exists in the Cisco Video Surveillance IP Cameras 2421, 2500 series and 2600 series of devices. An unauthenticated, remote attacker could exploit this vulnerability by sending crafted RTSP TCP packets to an affected device. Successful exploitation prevents cameras from sending video streams, subsequently causing a reboot. The camera reboot is done automatically and does not require action from an operator.
Cisco Security Agent Remote Code Execution Vulnerabilities
Cisco Security Agent is affected by vulnerabilities that could allow an unauthenticated attacker to perform remote code execution on the affected device. These vulnerabilities are in a third-party library (Oracle Outside In) and are documented in CERT-CC Vulnerability Note VU#520721 at http://www.kb.cert.org/vuls/id/520721
Oracle Critical Patch Update (CPU) Advisory – October 2011
CiscoWorks Common Services Arbitrary Command Execution Vulnerability
CiscoWorks Common Services for Microsoft Windows contains a vulnerability that could allow an authenticated, remote attacker to execute arbitrary commands on the affected system with the privileges of a system administrator.
Cisco Show and Share Security Vulnerabilities
The Cisco Show and Share webcasting and video sharing application contains two vulnerabilities.
CVE-2011-4137
The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no application data sent, or (3) a large amount of application data, a related issue to CVE-2011-1521. (CVSS:5.0) (Last Update:2011-10-19)