CVE-2015-4682
Description
Polycom RealPresence Resource Manager before 8.4 leaks the installation path via a POST request to JConfigManager.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Polycom RealPresence Resource Manager before 8.4 leaks the installation path via a POST request to JConfigManager.
Vulnerability
Polycom RealPresence Resource Manager (RPRM) versions before 8.4 contain a path disclosure vulnerability. An authenticated remote user can obtain the installation path of the application by sending an HTTP POST request to the /PlcmRmWeb/JConfigManager endpoint. The bug resides in the JConfigManager servlet, which returns internal path information in its response when processing crafted requests [1][2][3].
Exploitation
An attacker needs valid credentials to authenticate to the RPRM web interface. Once authenticated, they send a simple HTTP POST request to /PlcmRmWeb/JConfigManager. No special privileges or additional conditions are required beyond standard user authentication [1].
Impact
Successful exploitation reveals the absolute installation path of the RPRM application. While this alone is low-severity information disclosure, it provides reconnaissance data that can be combined with other vulnerabilities (e.g., directory traversal or file inclusion) to achieve more severe compromise [1][2].
Mitigation
Polycom released version 8.4 which fixes this issue [1][2][3]. Organizations still on versions below 8.4 should upgrade immediately. No workaround is available, and the product does not appear on the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2cpe:2.3:a:polycom:realpresence_resource_manager:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:polycom:realpresence_resource_manager:*:*:*:*:*:*:*:*range: <=8.3.2
- (no CPE)range: <8.4
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
6- packetstormsecurity.com/files/132463/Polycom-RealPresence-Resource-Manager-RPRM-Disclosure-Traversal.htmlnvdExploitThird Party AdvisoryVDB Entry
- seclists.org/fulldisclosure/2015/Jun/81nvdExploitMailing ListThird Party AdvisoryVDB Entry
- www.exploit-db.com/exploits/37449/nvdExploitThird Party AdvisoryVDB Entry
- www.securityfocus.com/bid/75432nvdThird Party AdvisoryVDB Entry
- support.polycom.com/global/documents/support/documentation/Security_Center_Post_for_RPRM_CVEs.pdfnvdVendor Advisory
- www.securityfocus.com/archive/1/535852/100/0/threadednvd
News mentions
0No linked articles in our index yet.