CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2021-40115 – Cisco Webex Video Mesh Cross-Site Scripting Vulnerability
https://notcve.org/view.php?id=CVE-2021-40115
A vulnerability in Cisco Webex Video Mesh could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. Una vulnerabilidad en Cisco Webex Video Mesh podría permitir a un atacante remoto no autenticado llevar a cabo un ataque de tipo cross-site scripting (XSS) contra un usuario de la interfaz. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-videomesh-xss-qjm2BDQf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-40128 – Cisco Webex Meetings Email Content Injection Vulnerability
https://notcve.org/view.php?id=CVE-2021-40128
A vulnerability in the account activation feature of Cisco Webex Meetings could allow an unauthenticated, remote attacker to send an account activation email with an activation link that points to an arbitrary domain. This vulnerability is due to insufficient validation of user-supplied parameters. An attacker could exploit this vulnerability by sending a crafted HTTP request to the account activation page of Cisco Webex Meetings. A successful exploit could allow the attacker to send to any recipient an account activation email that contains a tampered activation link, which could direct the user to an attacker-controlled website. Una vulnerabilidad en la funcionalidad account activation de Cisco Webex Meetings podría permitir a un atacante remoto no autenticado enviar un correo electrónico de activación de cuentas con un enlace de activación que apunte a un dominio arbitrario. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-activation-3sdNFxcy • CWE-183: Permissive List of Allowed Inputs •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-34743 – Cisco Webex Software Application Authorization Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2021-34743
A vulnerability in the application integration feature of Cisco Webex Software could allow an unauthenticated, remote attacker to authorize an external application to integrate with and access a user's account without that user's express consent. This vulnerability is due to improper validation of cross-site request forgery (CSRF) tokens. An attacker could exploit this vulnerability by convincing a targeted user who is currently authenticated to Cisco Webex Software to follow a link designed to pass malicious input to the Cisco Webex Software application authorization interface. A successful exploit could allow the attacker to cause Cisco Webex Software to authorize an application on the user's behalf without the express consent of the user, possibly allowing external applications to read data from that user's profile. Una vulnerabilidad en la funcionalidad application integration de Cisco Webex Software podría permitir a un atacante remoto no autenticado autorizar a una aplicación externa a integrarse y acceder a la cuenta de un usuario sin el consentimiento expreso de éste. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-2FmKd7T • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-1544 – Cisco Webex Meetings Client Software Logging Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2021-1544
A vulnerability in logging mechanisms of Cisco Webex Meetings client software could allow an authenticated, local attacker to gain access to sensitive information. This vulnerability is due to unsafe logging of application actions. An attacker could exploit this vulnerability by logging onto the local system and accessing files containing the logged details. A successful exploit could allow the attacker to gain access to sensitive information, including meeting data and recorded meeting transcriptions. Una vulnerabilidad en los mecanismos de registro del software cliente Cisco Webex Meetings podría permitir a un atacante local autentificado acceder a información sensible. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-8fpBnKOz • CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2021-1536 – Cisco Webex Meetings, Webex Network Recording Player, and Webex Teams DLL Injection Vulnerability
https://notcve.org/view.php?id=CVE-2021-1536
A vulnerability in Cisco Webex Meetings Desktop App for Windows, Cisco Webex Meetings Server, Cisco Webex Network Recording Player for Windows, and Cisco Webex Teams for Windows could allow an authenticated, local attacker to perform a DLL injection attack on an affected device. To exploit this vulnerability, the attacker must have valid credentials on the Windows system. This vulnerability is due to incorrect handling of directory paths at run time. An attacker could exploit this vulnerability by inserting a configuration file in a specific path in the system, which can cause a malicious DLL file to be loaded when the application starts. A successful exploit could allow the attacker to execute arbitrary code on the affected system with the privileges of another user account. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-dll-inject-XNmcSGTU • CWE-427: Uncontrolled Search Path Element •