SB2016090701 - Two vulnerabilities in Cisco WebEx Meetings Player
Published: September 7, 2016
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Denial of service (CVE-ID: CVE-2016-1415)
CWE-ID: CWE-399 - Resource Management Errors
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear
The vulnerability allows attackers to cause denial of service.
The vulnerability exists due to an error while parsing WRF files. A remote attacker can trick the victim into loading malicious WRF file using Cisco WebEx Meetings Player and cause application crash.
Successful exploitation of this vulnerability will allow an attacker to crash the application.
2) Remote code execution (CVE-ID: CVE-2016-1464)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
The vulnerability allows remote attackers to execute arbitrary code on vulnerable system.
The vulnerability exists due to an error while parsing WRF files. A remote attacker can trick the victim into loading malicious WRF file using Cisco WebEx Meetings Player and execute arbitrary code on the target system.
Successful exploitation of this vulnerability will allow an attacker to compromise vulnerable system.
Remediation
Install update from vendor's website.