CVE-2015-4315

CWE-20 — Improper Input Validation4 documents4 sources

Severity

5.5MEDIUM

EPSS

0.5%

top 36.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Telepresence Video Communication Server Software

Timeline

PublishedAug 20

Latest updateMay 17

Description

The Call Policy Configuration page in Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.3 improperly validates external DTDs, which allows remote authenticated users to read arbitrary files or cause a denial of service via a crafted XML document, aka Bug ID CSCuv31853.

CVSS vector

AV:N/AC:L/C:P/I:N/A:PExploitability: 8.0 | Impact: 4.9

Affected Packages1 packages

▶NVDcisco/telepresence_video_communicationx8.5.3

🔴Vulnerability Details

GHSA

GHSA-3ww7-qxrg-gc3h: The Call Policy Configuration page in Cisco TelePresence Video Communication Server (VCS) Expressway X8↗2022-05-17

▶

CVEList

CVE-2015-4315: The Call Policy Configuration page in Cisco TelePresence Video Communication Server (VCS) Expressway X8↗2015-08-20

▶

📋Vendor Advisories

Cisco

Cisco Telepresence Video Communication Server Expressway Call Policy Configuration Page Denial of Service Vulnerability↗2015-08-13

▶