Main Vulnerability Database SB2017102404

SB2017102404 - Information disclosure in Cisco Spark Hybrid Calendar Service

Published: October 24, 2017

Security Bulletin ID SB2017102404

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Information disclosure (CVE-ID: CVE-2017-12310)

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists in the auto discovery phase of Cisco Spark Hybrid Calendar Service because an unencrypted HTTP request is made due to requirements for implementing the Hybrid Calendar service. A remote attacker can view sensitive information in the unencrypted headers of an HTTP method request and access sensitive customer data belonging to Office365 users, such as email and calendar events.

Remediation

Install update from vendor's website.

References

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171023-spark