Arbitrary command execution in Cisco WebEx Meetings Server



| Updated: 2016-09-23
Risk High
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2016-1482
CWE-ID CWE-20
Exploitation vector Network
Public exploit N/A
Vulnerable software
Other
Vendor

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Arbitrary command execution

EUVDB-ID: #VU656

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2016-1482

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability exposes a remote user's possibility to cause arbitrary command execution on the target system.
The weakness exists due to improper input validation. By sending specially crafted data attackers can inject and execute arbitrary commands with elevated privileges.
Successful exploitation of the vulnerability may result in arbitrary command execution on the vulnerable system.

Mitigation

Update to 2.7.

Vulnerable software versions

: 2.6

CPE2.3 External links

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160914-wem


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###