CVE-2021-1532

MEDIUM

Cisco TelePresence <9.14.6 & RoomOS <10.3.1 Authenticated Arbitrary File Read

Title source: llm

Description

A vulnerability in the video endpoint API (xAPI) of Cisco TelePresence Collaboration Endpoint (CE) Software and Cisco RoomOS Software could allow an authenticated, remote attacker to read arbitrary files from the underlying operating system. This vulnerability is due to insufficient path validation of command arguments. An attacker could exploit this vulnerability by sending a crafted command request to the xAPI. A successful exploit could allow the attacker to read the contents of any file that is located on the device filesystem.

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory x_refsource_cisco

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-tp-rmos-fileread-pE9sL3g

Scores

CVSS v3 6.5

EPSS 0.0021

EPSS Percentile 42.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (2)

cisco/roomos < 10.3.1

cisco/telepresence_collaboration_endpoint < 9.14.6

Published May 06, 2021

Tracked Since Feb 18, 2026