SB2020080517 - Multiple vulnerabilities in Cisco Webex Meetings



SB2020080517 - Multiple vulnerabilities in Cisco Webex Meetings

Published: August 5, 2020

Security Bulletin ID SB2020080517
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Improper access control (CVE-ID: CVE-2020-3412)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions that allows creation of meeting templates that belong to other users. A remote authenticated user can send a specially crafted request and create templates for other users.


2) Improper access control (CVE-ID: CVE-2020-3413)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions that allows deletion of meeting templates that belong to other users in organisation. A remote authenticated user can send a specially crafted request and delete templates that belong to other users.


3) Information disclosure (CVE-ID: CVE-2020-3472)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to improper access restrictions that allow a remote authenticated users to obtain details of users on another Webex site, including user names and email addresses.


Remediation

Install update from vendor's website.