#VU24661 Improper access control in Cisco Webex Meetings Suite and Cisco Webex Meetings Online
Vulnerability identifier: #VU24661
Vulnerability risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-284
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Cisco Webex Meetings Suite
Client/Desktop applications /
Other client software
Cisco Webex Meetings Online
Server applications /
Conferencing, Collaboration and VoIP solutions
Vendor: Cisco Systems, Inc
Description
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to unintended meeting information exposure in a specific meeting join flow for mobile applications. A remote attacker can join the
password-protected meeting without providing the meeting password.
This vulnerability can be exploited by accessing a known meeting ID or meeting URL from the mobile device’s web browser. The browser will then request to launch the device’s Webex mobile application. The unauthorized attendee will be visible in the attendee list of the meeting as a mobile attendee.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Cisco Webex Meetings Suite: All versions
Cisco Webex Meetings Online: All versions
External links
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200124-webex-unauthjoin
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
