Vulnerability identifier: #VU13407

Vulnerability risk: Low

CVSSv3.1: 3.5 [CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-0359

CWE-ID: CWE-113

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Cisco Meeting Server
Client/Desktop applications / Multimedia software

Vendor: Cisco Systems, Inc

Description

The weakness exists in the session identification management functionality of the web-based management interface for Cisco Meeting Server due to the affected application does not assign a new session identifier to a user session when a user authenticates to the application. A local attacker can use a hijacked session identifier to connect to the application through the web-based management interface and hijack an authenticated user's browser session.

Mitigation
The vulnerability is addressed in the versions 2.2.13, 2.3.4.

Vulnerable software versions

Cisco Meeting Server: 2.3

---

External links
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-cms-sf

---

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.