CVSS: 9.3EPSS: 0%CPEs: 7EXPL: 0CVE-2019-1639 – Cisco Webex Network Recording Player Arbitrary Code Execution Vulnerabilities
https://notcve.org/view.php?id=CVE-2019-1639
A vulnerability in the Cisco Webex Network Recording Player for Microsoft Windows and the Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system. The vulnerability exist because the affected software improperly validates Advanced Recording Format (ARF) and Webex Recording Format (WRF) files. An attacker could exploit this vulnerability by sending a user a malicious ARF or WRF file via a link or email attachment and persuading the user to open the file with the affected software. Successful exploitation could allow the attacker to execute arbitrary code on the affected system. Una vulnerabilidad en Cisco Webex Network Recording Player para Microsoft Windows y Cisco Webex Player para Microsoft Windows podría permitir que un atacante ejecute código arbitrario en un sistema afectado. • http://www.securityfocus.com/bid/106704 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-webex-rce • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 9.3EPSS: 14%CPEs: 1EXPL: 0CVE-2019-1636 – Cisco Webex Teams URI Handler Insecure Library Loading Vulnerability
https://notcve.org/view.php?id=CVE-2019-1636
A vulnerability in the Cisco Webex Teams client, formerly Cisco Spark, could allow an attacker to execute arbitrary commands on a targeted system. This vulnerability is due to unsafe search paths used by the application URI that is defined in Windows operating systems. An attacker could exploit this vulnerability by convincing a targeted user to follow a malicious link. Successful exploitation could cause the application to load libraries from the directory targeted by the URI link. The attacker could use this behavior to execute arbitrary commands on the system with the privileges of the targeted user if the attacker can place a crafted library in a directory that is accessible to the vulnerable system. • http://www.securityfocus.com/bid/106718 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-webex-teams • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-15461 – Cisco Webex Business Suite Cross-Site Scripting Vulnerability
https://notcve.org/view.php?id=CVE-2018-15461
A vulnerability in the MyWebex component of Cisco Webex Business Suite could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack. The vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by convincing a user to click a crafted URL. To exploit this vulnerability, the attacker may provide a link that directs a user to a malicious site and use misleading language or instructions to persuade the user to follow the provided link. Una vulnerabilidad en el componente MyWebex en Cisco Webex Business Suite podría permitir que un atacante remoto no autenticado lleve a cabo un ataque de Cross-Site Scripting (XSS). • http://www.securityfocus.com/bid/106505 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190109-webex-bs-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 10%CPEs: 2EXPL: 3CVE-2018-15442 – Cisco Webex Meetings Desktop App Update Service Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2018-15442
A vulnerability in the update service of Cisco Webex Meetings Desktop App for Windows could allow an authenticated, local attacker to execute arbitrary commands as a privileged user. The vulnerability is due to insufficient validation of user-supplied parameters. An attacker could exploit this vulnerability by invoking the update service command with a crafted argument. An exploit could allow the attacker to run arbitrary commands with SYSTEM user privileges. While the CVSS Attack Vector metric denotes the requirement for an attacker to have local access, administrators should be aware that in Active Directory deployments, the vulnerability could be exploited remotely by leveraging the operating system remote management tools. • https://www.exploit-db.com/exploits/45696 https://www.exploit-db.com/exploits/45695 http://www.securityfocus.com/bid/105734 http://www.securitytracker.com/id/1041942 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181024-webex-injection https://webexec.org https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/local/webexec.rb • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.3EPSS: 0%CPEs: 21EXPL: 0CVE-2018-15417 – Cisco Webex Network Recording Player and Cisco Webex Player Remote Code Execution Vulnerabilities
https://notcve.org/view.php?id=CVE-2018-15417
A vulnerability in the Cisco Webex Network Recording Player for Microsoft Windows and the Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system. The vulnerability exist because the affected software improperly validates Advanced Recording Format (ARF) and Webex Recording Format (WRF) files. An attacker could exploit this vulnerability by sending a user a malicious ARF or WRF file via a link or an email attachment and persuading the user to open the file by using the affected software. A successful exploit could allow the attacker to execute arbitrary code on the affected system. Una vulnerabilidad en Cisco Webex Network Recording Player para Microsoft Windows y Cisco Webex Player para Microsoft Windows podría permitir que un atacante ejecute código arbitrario en un sistema afectado. • http://www.securityfocus.com/bid/105520 http://www.securitytracker.com/id/1041795 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-webex-rce • CWE-20: Improper Input Validation •