A “highly critical” vulnerability in Cisco’s
flagship Collaboration Server could put users at risk of malicious code
execution, the company said in an advisory.
Cisco, which dominates the market for switching and routing equipment
used to link networks, said the vulnerability was found in versions of its
Cisco Collaboration Server (CCS) that ship with the ServletExec
subcomponent.
“Unauthorized users can upload any file and gain administrative
privileges,” Cisco warned in the advisory posted online.
The vulnerability affects CCS (prior to 5.0) using a ServletExec version
prior to 3.0E. Independent research firm Secunia has tagged the flaw with a
“highly critical” rating because it can be exploited to gain system access
from remote locations.
Users of Cisco Collaboration Server 4.x can apply a fix using an
automated script (available
here). Detailed workarounds and patching instructions have been posted online.
The Cisco Collaboration Server is used mostly in e-commerce settings to
provide electronic CRM
buttons on Web sites to let businesses interact with customers by voice
(PSTN or VoIP) or via text chat.
The CCS can also be used to handle online collaboration features like
two-way Web-page sharing, Follow-Me browsing, form sharing and real-time
application sharing.