Cisco CallManager, Unified Communications Manager vulnerable to attacks

Cisco is warning that its Cisco CallManager and Unified Communications Manager are vulnerable to cross-site Scripting (XSS) and SQL Injection attacks. The attacks would occur in the lang variable of the admin and user logon pages, according to a Cisco security alert. The alert adds: "A successful attack may allow an attacker to run JavaScript on computer systems connecting to CallManager or Unified Communications Manager servers, and has the potential to disclose information within the database." Cisco has made patches available.

Separately, "Alessandro Fiorenzi aka NetExpress" has posted to BugTraq an "Undocument bug on Cisco CSS series 11000 with Webns 8.20.0.1."

The post reads:

Cisco CSS series 11000 with webns system and ssh daemon crash on ssh crc32 old 2001 exploit

Cisco CSS :

Webns Version: 08.20.0.01 (using command sh ver)

SSH Version: SSHield version 1.6.1, SSH version OpenSSH_3.0.2p1 (using command sh sshd version)

CSS is default configured with max 5 concurrency session

with old shack exploit css does not relase connection and when it get 5 connection it crashes with no other possibility of connection"

More Cisco security alerts

More Cisco security responses

Go to Cisco Subnet for more Cisco news, blogs, discussion forums, security alerts, book giveaways, and more.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2007 IDG Communications, Inc.

IT Salary Survey: The results are in