CVE-2006-3109
Cisco CallManager 3.3-4.3 - Cross-Site Scripting via ccmadmin/phonelist.asp and ccmuser/logon.asp
Title source: llmExploitation Summary
EIP tracks 2 public exploits for CVE-2006-3109. PoCs published by Jake Reynolds.
AI-analyzed exploit summary This exploit demonstrates a cross-site scripting (XSS) vulnerability in Cisco CallManager's web interface by injecting a malicious script via the 'MadeUpParameter' parameter. The script modifies form actions to redirect to an attacker-controlled site, potentially stealing credentials.
Description
Cross-site scripting (XSS) vulnerability in Cisco CallManager 3.3 before 3.3(5)SR3, 4.1 before 4.1(3)SR4, 4.2 before 4.2(3), and 4.3 before 4.3(1), allows remote attackers to inject arbitrary web script or HTML via the (1) pattern parameter in ccmadmin/phonelist.asp and (2) arbitrary parameters in ccmuser/logon.asp, aka bugid CSCsb68657.
Exploits (2)
This exploit demonstrates a cross-site scripting (XSS) vulnerability in Cisco CallManager's web interface by injecting a malicious script via the 'MadeUpParameter' parameter. The script modifies form actions to redirect to an attacker-controlled site, potentially stealing credentials.
This exploit demonstrates a cross-site scripting (XSS) vulnerability in Cisco CallManager's web interface. The PoC URL injects a JavaScript payload into the 'pattern' parameter, which executes in the context of the affected site when accessed by an administrative user.