CVE-2011-3288

Published: Oct 6, 2011Modified: Apr 29, 2026

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

Cisco Unified Presence before 8.5(4) does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption, and process crash) via a crafted XML document containing a large number of nested entity references, aka Bug IDs CSCtq89842 and CSCtq88547, a similar issue to CVE-2003-1564.

Affected (1)

Products: Cisco: Unified Presence

1 product

Unified Presence

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Cisco Unified Presence	Before 8.5\(4\)

Related CWEs

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

References (3)

http://www.cisco.com/en/US/products/products_security_advisory09186a0080b95d47.shtml

Source: psirt@cisco.com

Not Applicable

https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20110928-xcpcupsxml.html

Source: nvd@nist.gov

Vendor Advisory

http://www.cisco.com/en/US/products/products_security_advisory09186a0080b95d47.shtml

Source: af854a3a-2127-422b-91ae-364da2661108

Not Applicable

Timeline

No history available yet.