Information disclosure in Cisco Meeting Server



Published: 2018-06-07
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2018-0263
CWE-ID CWE-200
Exploitation vector Local network
Public exploit N/A
Vulnerable software
Subscribe 		Cisco Meeting Server
Client/Desktop applications / Multimedia software

Vendor Cisco Systems, Inc

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Information disclosure

EUVDB-ID: #VU13218

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-0263

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows an adjacent attacker to obtain potentially sensitive information on the target system.

The vulnerability exists in Cisco Meeting Server (CMS) due to incorrect default configuration of the device, which can expose internal interfaces and ports on the external interface of the system. An adjacent attacker can gain unauthenticated access to configuration and database files and sensitive meeting information.

Mitigation

Update to version 2.3.4.

Vulnerable software versions

Cisco Meeting Server: 2.2

External links

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-cms-id


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###