A short story of LFI and XSS on Cisco Unified Communications Manager Administrative Interface
Cisco Unified Communications Manager Administrative Web Interface Directory Traversal Vulnerability CVE-2013-5528 {Feels happy when your exploit gets published on exploit-db.com https://www.exploit-db.com/exploits/40887/ } In one of the pentest engagement I got to play with Cisco Unified Communications Manager Administrative Web Interface 8.x.Well I was able to find LFI and XSS on one of the parameter. After few months I reported them to Cisco team. Few mail exchanges were done and Cisco team told me that the vulnerability is previously disclosed via CVE 2013-5528. The team says they have covered LFI and XSS by the same advisory. Any ways, I took the permission to publish the exploit from the team and here I am publishing a writeup. The vulnerability CVE 2013-5528: Directory traversal vulnerability exists on Cisco Unified Communications Manager Administrative Web Interface after authentication. The vulnerability is due to a failure to properly sanitiz...