## Vulnerability Key Information ### Vulnerability Overview - **Vulnerability Name**: Cisco Emergency Responder Web Framework Arbitrary File Upload Vulnerability - **Severity**: Medium - **CVE ID**: CVE-2015-6407 - **CWE ID**: CWE-20 - **Advisory ID**: cisco-sa-20151209-erw - **Initial Release Date**: December 10, 2015, 07:30 GMT - **Vulnerability Status**: Final - **Cisco Bug ID**: CSCuv25501 - **CVSS Score**: Base 4.0, Temporal 3.3 ### Vulnerability Description - **Vulnerability Details**: A vulnerability exists in the Cisco Emergency Responder (CER) Web framework that may allow an unauthenticated remote attacker to upload arbitrary files to restricted locations in the file system. - **Cause**: Due to insufficient parameter validation. - **Exploitation Method**: Attackers can exploit this vulnerability by sending specially crafted requests to the server, enabling the upload of arbitrary files to any location on the affected device. ### Affected Products - **Affected Products**: Cisco Emergency Responder Release 10.5(3.10000.9) - **Unaffected Products**: No other Cisco products are known to be affected by this vulnerability. ### Solution - **Fix Software**: Cisco has released software updates to address this vulnerability. - **Notes**: Customers considering software upgrades are advised to consult the Cisco Security Advisory and Response Archive. ### Additional Information - **Workarounds**: No workarounds are available. - **Public Exploits and Announcements**: The Cisco Product Security Incident Response Team (PSIRT) has not identified any public announcements or malicious use of this vulnerability. - **Related Links**: [Cisco Security Advisory](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-erw)