Information disclosure in Cisco WebEx Event Center



Published: 2017-12-01
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2017-12365
CWE-ID CWE-200
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		Cisco WebEx Event Center
Client/Desktop applications / Office applications

Vendor Cisco Systems, Inc

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Information disclosure

EUVDB-ID: #VU9494

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-12365

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists due to a design flaw in the product. A remote attacker can execute a query on an Event Center site to view scheduled meetings, view both listed and unlisted meetings in the displayed information and attend meetings that are not available for their attendance.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Cisco WebEx Event Center: All versions

External links

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-webex4


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###