#VU24661 Improper access control in Cisco Webex Meetings Suite and Cisco Webex Meetings Online - CVE-2020-3142
Published: January 27, 2020
Vulnerability identifier: #VU24661
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2020-3142
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Cisco Webex Meetings Suite
Cisco Webex Meetings Online
Cisco Webex Meetings Suite
Cisco Webex Meetings Online
Software vendor:
Cisco Systems, Inc
Cisco Systems, Inc
Description
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to unintended meeting information exposure in a specific meeting join flow for mobile applications. A remote attacker can join the
password-protected meeting without providing the meeting password.
This vulnerability can be exploited by accessing a known meeting ID or meeting URL from the mobile device’s web browser. The browser will then request to launch the device’s Webex mobile application. The unauthorized attendee will be visible in the attendee list of the meeting as a mobile attendee.
Remediation
Install updates from vendor's website.