Information disclosure in Cisco Meeting Server

Published: 2018-11-08 10:54:31
Severity Low
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2018-15446
CVSSv3 4.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CWE ID CWE-200
Exploitation vector Network
Public exploit Not available
Vulnerable software Cisco Meeting Server
Vulnerable software versions Cisco Meeting Server 2.4
Cisco Meeting Server 2.2
Cisco Meeting Server 2.3
Vendor URL Cisco Systems, Inc

Security Advisory

1) Information disclosure

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to improper protections on data that is returned from user meeting requests when the Guest access via ID and passcode option is set to Legacy mode. A remote attacker can send meeting requests, determine the values of meeting room unique identifiers and conduct further exploits.

Remediation

Update to version 2.3.8.

External links

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-meeting-serv...

Back to List