Vulnerability Key Information Vulnerability Overview Vulnerability Name: Cisco Emergency Responder Web Framework Arbitrary File Upload Vulnerability Severity: Medium CVE ID: CVE-2015-6407 CWE ID: CWE-20 Advisory ID: cisco-sa-20151209-erw Initial Release Date: December 10, 2015, 07:30 GMT Vulnerability Status: Final Cisco Bug ID: CSCuv25501 CVSS Score: Base 4.0, Temporal 3.3 Vulnerability Description Vulnerability Details: A vulnerability exists in the Cisco Emergency Responder (CER) Web framework that may allow an unauthenticated remote attacker to upload arbitrary files to restricted locations in the file system. Cause: Due to insufficient parameter validation. Exploitation Method: Attackers can exploit this vulnerability by sending specially crafted requests to the server, enabling the upload of arbitrary files to any location on the affected device. Affected Products Affected Products: Cisco Emergency Responder Release 10.5(3.10000.9) Unaffected Products: No other Cisco products are known to be affected by this vulnerability. Solution Fix Software: Cisco has released software updates to address this vulnerability. Notes: Customers considering software upgrades are advised to consult the Cisco Security Advisory and Response Archive. Additional Information Workarounds: No workarounds are available. Public Exploits and Announcements: The Cisco Product Security Incident Response Team (PSIRT) has not identified any public announcements or malicious use of this vulnerability. Related Links: Cisco Security Advisory