CVE-2020-3537 – Cisco Jabber for Windows Universal Naming Convention Link Handling Vulnerability
https://notcve.org/view.php?id=CVE-2020-3537
A vulnerability in Cisco Jabber for Windows software could allow an authenticated, remote attacker to gain access to sensitive information. The vulnerability is due to improper validation of message contents. An attacker could exploit this vulnerability by sending specially crafted messages that contain Universal Naming Convention (UNC) links to a targeted user and convincing the user to follow the provided link. A successful exploit could allow the attacker to cause the application to access a remote system, possibly allowing the attacker to gain access to sensitive information that the attacker could use in additional attacks. Una vulnerabilidad en el software Cisco Jabber para Windows podría permitir a un atacante remoto autenticado conseguir acceso a información confidencial. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-jabber-G3NSjPn7 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2019-12645 – Cisco Jabber Client Framework for Mac Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2019-12645
A vulnerability in Cisco Jabber Client Framework (JCF) for Mac Software, installed as part of the Cisco Jabber for Mac client, could allow an authenticated, local attacker to execute arbitrary code on an affected device The vulnerability is due to improper file level permissions on an affected device when it is running Cisco JCF for Mac Software. An attacker could exploit this vulnerability by authenticating to the affected device and executing arbitrary code or potentially modifying certain configuration files. A successful exploit could allow the attacker to execute arbitrary code or modify certain configuration files on the device using the privileges of the installed Cisco JCF for Mac Software. Una vulnerabilidad en Cisco Jabber Client Framework (JCF) para Mac Software, instalado como parte del cliente Cisco Jabber para Mac, podría permitir a un atacante local autenticado ejecutar código arbitrario en un dispositivo afectado. La vulnerabilidad es debido a permisos de nivel de archivo inapropiados en un dispositivo afectado cuando se ejecuta el software Cisco JCF para Mac. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190904-jcf-codex • CWE-20: Improper Input Validation CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2019-1855 – Cisco Jabber for Windows DLL Preloading Vulnerability
https://notcve.org/view.php?id=CVE-2019-1855
A vulnerability in the loading mechanism of specific dynamic link libraries in Cisco Jabber for Windows could allow an authenticated, local attacker to perform a DLL preloading attack. To exploit this vulnerability, the attacker would need to have valid credentials on the Windows system. The vulnerability is due to insufficient validation of the resources loaded by the application at run time. An attacker could exploit this vulnerability by crafting a malicious DLL file and placing it in a specific location on the targeted system. The malicious DLL file would execute when the Jabber application launches. • http://www.securityfocus.com/bid/109038 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190703-jabber-dll • CWE-264: Permissions, Privileges, and Access Controls CWE-427: Uncontrolled Search Path Element •