SB2020080517 - Multiple vulnerabilities in Cisco Webex Meetings
Published: August 5, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Improper access control (CVE-ID: CVE-2020-3412)
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions that allows creation of meeting templates that belong to other users. A remote authenticated user can send a specially crafted request and create templates for other users.
2) Improper access control (CVE-ID: CVE-2020-3413)
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions that allows deletion of meeting templates that belong to other users in organisation. A remote authenticated user can send a specially crafted request and delete templates that belong to other users.
3) Information disclosure (CVE-ID: CVE-2020-3472)
The vulnerability allows a remote user to gain access to potentially sensitive information.
The vulnerability exists due to improper access restrictions that allow a remote authenticated users to obtain details of users on another Webex site, including user names and email addresses.
Remediation
Install update from vendor's website.
References
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-smtcreate-YmuD5...
- https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu45984
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-smtdelete-gJDurOgR
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-mAkmV4qc
- https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu40725