Improper access control in Cisco Webex Meetings Suite and Cisco Webex Meetings Online - CVE-2020-3142
Published: January 27, 2020
Vulnerability identifier: #VU24661
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2020-3142
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Cisco Webex Meetings Suite
Cisco Webex Meetings Online
Cisco Webex Meetings Suite
Cisco Webex Meetings Online
Detailed vulnerability description
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to unintended meeting information exposure in a specific meeting join flow for mobile applications. A remote attacker can join the
password-protected meeting without providing the meeting password.
This vulnerability can be exploited by accessing a known meeting ID or meeting URL from the mobile device’s web browser. The browser will then request to launch the device’s Webex mobile application. The unauthorized attendee will be visible in the attendee list of the meeting as a mobile attendee.
How to mitigate CVE-2020-3142
Install updates from vendor's website.