CVE-2015-4319 - OpenCVE

The password-change feature in the administrative web interface in Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.1 improperly performs authorization, which allows remote authenticated users to reset arbitrary active-user passwords via unspecified vectors, aka Bug ID CSCuv12338.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:N/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Cisco	Telepresence Video Communication Server Software

Configuration 1 [-]

cpe:2.3:a:cisco:telepresence_video_communication_server_software:x8.5.1:*:*:*:expressway:*:*:*

No data.

References

Link	Providers
http://tools.cisco.com/security/center/viewAlert.x?alertId=40442
http://www.securityfocus.com/bid/76366
http://www.securitytracker.com/id/1033323

History

No history.

MITRE

Status: PUBLISHED

Assigner: cisco

Published: 2015-08-20T10:00:00

Updated: 2024-08-06T06:11:12.900Z

Reserved: 2015-06-04T00:00:00

Link: CVE-2015-4319

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2015-08-20T10:59:08.903

Modified: 2017-01-04T18:04:21.423

Link: CVE-2015-4319

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-08-14T00:00:00", "descriptions": [{"lang": "en", "value": "The password-change feature in the administrative web interface in Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.1 improperly performs authorization, which allows remote authenticated users to reset arbitrary active-user passwords via unspecified vectors, aka Bug ID CSCuv12338."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-12-20T16:57:01", "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco"}, "references": [{"name": "76366", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/76366"}, {"name": "1033323", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1033323"}, {"name": "20150814 Cisco TelePresence Video Communication Server Expressway Access Vulnerability", "tags": ["vendor-advisory", "x_refsource_CISCO"], "url": "http://tools.cisco.com/security/center/viewAlert.x?alertId=40442"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@cisco.com", "ID": "CVE-2015-4319", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The password-change feature in the administrative web interface in Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.1 improperly performs authorization, which allows remote authenticated users to reset arbitrary active-user passwords via unspecified vectors, aka Bug ID CSCuv12338."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "76366", "refsource": "BID", "url": "http://www.securityfocus.com/bid/76366"}, {"name": "1033323", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1033323"}, {"name": "20150814 Cisco TelePresence Video Communication Server Expressway Access Vulnerability", "refsource": "CISCO", "url": "http://tools.cisco.com/security/center/viewAlert.x?alertId=40442"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T06:11:12.900Z"}, "title": "CVE Program Container", "references": [{"name": "76366", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/76366"}, {"name": "1033323", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1033323"}, {"name": "20150814 Cisco TelePresence Video Communication Server Expressway Access Vulnerability", "tags": ["vendor-advisory", "x_refsource_CISCO", "x_transferred"], "url": "http://tools.cisco.com/security/center/viewAlert.x?alertId=40442"}]}]}, "cveMetadata": {"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "assignerShortName": "cisco", "cveId": "CVE-2015-4319", "datePublished": "2015-08-20T10:00:00", "dateReserved": "2015-06-04T00:00:00", "dateUpdated": "2024-08-06T06:11:12.900Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cisco:telepresence_video_communication_server_software:x8.5.1:*:*:*:expressway:*:*:*", "matchCriteriaId": "E66073CB-E4BF-458F-B645-5EFA5FB3067D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The password-change feature in the administrative web interface in Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.1 improperly performs authorization, which allows remote authenticated users to reset arbitrary active-user passwords via unspecified vectors, aka Bug ID CSCuv12338."}, {"lang": "es", "value": "Vulnerabilidad en la funcionalidad de cambio de contrase\u00f1a en la interfaz web administrativa en Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.1, realiza autorizaci\u00f3n inadecuadamente, lo que permite a usuarios remotos autenticados resetear contrase\u00f1as arbitrarias de usuarios activos a trav\u00e9s de vectores no especificados, tambi\u00e9n conocida como Bug ID CSCuv12338."}], "id": "CVE-2015-4319", "lastModified": "2017-01-04T18:04:21.423", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 5.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-08-20T10:59:08.903", "references": [{"source": "ykramarz@cisco.com", "tags": ["Vendor Advisory"], "url": "http://tools.cisco.com/security/center/viewAlert.x?alertId=40442"}, {"source": "ykramarz@cisco.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/76366"}, {"source": "ykramarz@cisco.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1033323"}], "sourceIdentifier": "ykramarz@cisco.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-255"}], "source": "nvd@nist.gov", "type": "Primary"}]}