#VU14674 Security restrictions bypass in Cisco Webex Teams
Vulnerability identifier: #VU14674
Vulnerability risk: Low
CVSSv3.1: 7.6 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-264
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Cisco Webex Teams
Client/Desktop applications /
Office applications
Vendor: Cisco Systems, Inc
Description
The vulnerability allows a remote authenticated attacker to bypass security restrictions.
The vulnerability exists due to the affected software performs insufficient checks for associations between user accounts and organization accounts. A remote attacker who has administrator or compliance officer privileges for one organization account can use those privileges to view and modify data for another organization account.
Mitigation
Install update from vendor's website.
Vulnerable software versions
Cisco Webex Teams: All versions
External links
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-webex-id-mod
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
