SB2020080517 - Multiple vulnerabilities in Cisco Webex Meetings
Published: August 5, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Improper access control (CVE-ID: CVE-2020-3412)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions that allows creation of meeting templates that belong to other users. A remote authenticated user can send a specially crafted request and create templates for other users.
2) Improper access control (CVE-ID: CVE-2020-3413)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions that allows deletion of meeting templates that belong to other users in organisation. A remote authenticated user can send a specially crafted request and delete templates that belong to other users.
3) Information disclosure (CVE-ID: CVE-2020-3472)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to gain access to potentially sensitive information.
The vulnerability exists due to improper access restrictions that allow a remote authenticated users to obtain details of users on another Webex site, including user names and email addresses.
Remediation
Install update from vendor's website.
References
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-smtcreate-YmuD5...
- https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu45984
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-smtdelete-gJDurOgR
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-mAkmV4qc
- https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu40725