Multiple vulnerabilities in Cisco Webex Meetings and Cisco Webex Meetings Server
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2020-3441 CVE-2020-3471 CVE-2020-3419 |
| CWE-ID | CWE-200 CWE-913 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Cisco Webex Meetings Server applications / Conferencing, Collaboration and VoIP solutions Cisco WebEx Meetings Server Server applications / Conferencing, Collaboration and VoIP solutions |
| Vendor | Cisco Systems, Inc |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Information disclosure
EUVDB-ID: #VU48555
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-3441
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to insufficient protection of sensitive participant information. A remote attacker can browse the Webex roster to gather information about other Webex participants, such as email address and IP address, while waiting in the lobby.
MitigationInstall updates from vendor's website.
Vulnerable software versionsCisco Webex Meetings: 40.6.0
Cisco WebEx Meetings Server: 3.0MR3 Patch 4
External linkshttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-infodisc-4tvQzn4
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information disclosure
EUVDB-ID: #VU48556
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-3471
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a synchronization issue between meeting and media services on a vulnerable Webex site. A remote attacker can send specially crafted requests to maintain the audio connection of a Webex session despite being expelled.
MitigationInstall updates from vendor's website.
Vulnerable software versionsCisco WebEx Meetings Server: 3.0MR3 Patch 4 - 4.0MR3 Patch 3
Cisco Webex Meetings: 39.5.25 - 40.9.5
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper Control of Dynamically-Managed Code Resources
EUVDB-ID: #VU48560
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-3419
CWE-ID:
CWE-913 - Improper Control of Dynamically-Managed Code Resources
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to join a Webex session without appearing on the participant list.
The vulnerability exists due to improper handling of authentication tokens by a vulnerable Webex site. A remote attacker can send specially crafted requests and join meetings, without appearing in the participant list, while having full access to audio, video, chat, and screen sharing capabilities.
MitigationInstall updates from vendor's website.
Vulnerable software versionsCisco WebEx Meetings Server: 3.0MR3 Patch 4 - 4.0MR3 Patch 3
Cisco Webex Meetings: 40.10.9
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
