CVE-2015-4328

Cisco TelePresence Video Communication Server Expressway X8.5.2 - Authenticated OS Command Injection via HTTP Request

Title source: llm
STIX 2.1

Description

Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.2 improperly checks for a user account's read-only attribute, which allows remote authenticated users to execute arbitrary OS commands via crafted HTTP requests, as demonstrated by read or write operations on the Unified Communications lookup page, aka Bug ID CSCuv12552.

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1033329
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/76399
Vendor Advisory vendor-advisory x_refsource_cisco
http://tools.cisco.com/security/center/viewAlert.x?alertId=40522

Scores

EPSS 0.0198
EPSS Percentile 78.2%

Details

CWE
CWE-20
Status published
Products (1)
cisco/telepresence_video_communication_server_software x8.5.2
Published Aug 20, 2015
Tracked Since Feb 18, 2026