Cisco Personal Assistant is a Microsoft Windows 2000 based application
and is part of the AVVID solution. For more information on Personal Assistant,
This vulnerability is only present if both of the following conditions
The Personal Assistant administrator has checked the "Allow Only
Cisco CallManager Users" box through System -> Miscellaneous
The Personal Assistant Corporate Directory settings refer to the same
directory service that is used by Cisco CallManager.
If both of the above criteria are met, then password authentication to
Personal Assistant user configuration is disabled. This allows anyone to enter
a valid User ID with any password and the user will be authorized to make
configuration changes to that account.
The default setting for Personal Assistant is that the "Allow Only
Cisco CallManager Users" box is unchecked.
Users access Personal Assistant by browsing to the address
http://x.x.x.x/pauseradmin where x.x.x.x is the IP address or
hostname of the Personal Assistant server.
This vulnerability does not affect access to Personal Assistant through
the telephony interface. Users access the telephony interface by dialing the
Personal Assistant extension. Personal Assistant uses the user's CallManager
Extension Mobility PIN or the Unity Subscriber Phone Password to authenticate
users through the telephony interface.
This vulnerability is documented as Cisco bug ID