Information disclosure in Cisco Meeting Server - CVE-2018-15446
Published: November 7, 2018 / Updated: November 8, 2018
Vulnerability identifier: #VU15767
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-15446
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Cisco Meeting Server
Cisco Meeting Server
Detailed vulnerability description
The vulnerability allows a remote attacker to obtain potentially sensitive information.
The vulnerability exists due to improper protections on data that is returned from user meeting requests when the Guest access via ID and passcode option is set to Legacy mode. A remote attacker can send meeting requests, determine the values of meeting room unique identifiers and conduct further exploits.
How to mitigate CVE-2018-15446
Update to version 2.3.8.