CVE-2020-3463 – Cisco Webex Meetings Reflected Cross-Site Scripting Vulnerability
https://notcve.org/view.php?id=CVE-2020-3463
A vulnerability in the web-based management interface of Cisco Webex Meetings could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of the affected service. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected service. An attacker could exploit this vulnerability by persuading a user to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. Una vulnerabilidad en la interfaz de administración basada en web de Cisco Webex Meetings podría permitir a un atacante remoto no autenticado conducir un ataque de tipo cross-site scripting (XSS) contra un usuario de la interfaz de administración basada en web del servicio afectado. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-mttngs-xss-3VbdxDuF • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-3472 – Cisco Webex Meetings User Email Address Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2020-3472
A vulnerability in the contacts feature of Cisco Webex Meetings could allow an authenticated, remote attacker with a legitimate user account to access sensitive information. The vulnerability is due to improper access restrictions on users who are added within user contacts. An attacker on one Webex Meetings site could exploit this vulnerability by sending specially crafted requests to the Webex Meetings site. A successful exploit could allow the attacker to view the details of users on another Webex site, including user names and email addresses. Una vulnerabilidad en la funcionalidad contacts de Cisco Webex Meetings podría permitir a un atacante remoto autenticado con una cuenta de usuario legítima acceder a información confidencial. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-mAkmV4qc • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-863: Incorrect Authorization •
CVE-2020-3142 – Cisco Webex Meetings Suite and Cisco Webex Meetings Online Unauthenticated Meeting Join Vulnerability
https://notcve.org/view.php?id=CVE-2020-3142
A vulnerability in Cisco Webex Meetings Suite sites and Cisco Webex Meetings Online sites could allow an unauthenticated, remote attendee to join a password-protected meeting without providing the meeting password. The connection attempt must initiate from a Webex mobile application for either iOS or Android. The vulnerability is due to unintended meeting information exposure in a specific meeting join flow for mobile applications. An unauthorized attendee could exploit this vulnerability by accessing a known meeting ID or meeting URL from the mobile device’s web browser. The browser will then request to launch the device’s Webex mobile application. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200124-webex-unauthjoin • CWE-284: Improper Access Control CWE-306: Missing Authentication for Critical Function •
CVE-2019-15987 – Cisco WebEx Centers Username Enumeration Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2019-15987
A vulnerability in web interface of the Cisco Webex Event Center, Cisco Webex Meeting Center, Cisco Webex Support Center, and Cisco Webex Training Center could allow an unauthenticated, remote attacker to guess account usernames. The vulnerability is due to missing CAPTCHA protection in certain URLs. An attacker could exploit this vulnerability by sending a crafted request to the web interface. A successful exploit could allow the attacker to know if a given username is valid and find the real name of the user. Una vulnerabilidad en la interfaz web de Cisco Webex Event Center, Cisco Webex Meeting Center, Cisco Webex Support Center y Cisco Webex Training Center, podría permitir a un atacante remoto no autenticado adivinar los nombres de usuario de las cuentas. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191120-webex-centers-infodis • CWE-287: Improper Authentication •
CVE-2019-1638 – Cisco Webex Network Recording Player Arbitrary Code Execution Vulnerabilities
https://notcve.org/view.php?id=CVE-2019-1638
A vulnerability in the Cisco Webex Network Recording Player for Microsoft Windows and the Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system. The vulnerability exist because the affected software improperly validates Advanced Recording Format (ARF) and Webex Recording Format (WRF) files. An attacker could exploit this vulnerability by sending a user a malicious ARF or WRF file via a link or email attachment and persuading the user to open the file with the affected software. Successful exploitation could allow the attacker to execute arbitrary code on the affected system. Una vulnerabilidad en Cisco Webex Network Recording Player para Microsoft Windows y Cisco Webex Player para Microsoft Windows podría permitir que un atacante ejecute código arbitrario en un sistema afectado. • http://www.securityfocus.com/bid/106704 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-webex-rce • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •