CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-1855 – Cisco Jabber for Windows DLL Preloading Vulnerability
https://notcve.org/view.php?id=CVE-2019-1855
A vulnerability in the loading mechanism of specific dynamic link libraries in Cisco Jabber for Windows could allow an authenticated, local attacker to perform a DLL preloading attack. To exploit this vulnerability, the attacker would need to have valid credentials on the Windows system. The vulnerability is due to insufficient validation of the resources loaded by the application at run time. An attacker could exploit this vulnerability by crafting a malicious DLL file and placing it in a specific location on the targeted system. The malicious DLL file would execute when the Jabber application launches. • http://www.securityfocus.com/bid/109038 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190703-jabber-dll • CWE-264: Permissions, Privileges, and Access Controls CWE-427: Uncontrolled Search Path Element •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2018-0483 – Cisco Jabber Client Framework Instant Message Cross-Site Scripting Vulnerability
https://notcve.org/view.php?id=CVE-2018-0483
A vulnerability in Cisco Jabber Client Framework (JCF) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of an affected system. The vulnerability is due to insufficient validation of user-supplied input of an affected client. An attacker could exploit this vulnerability by executing arbitrary JavaScript in the Jabber client of the recipient. A successful exploit could allow the attacker to execute arbitrary script code in the context of the targeted client or allow the attacker to access sensitive client-based information. Una vulnerabilidad en Cisco Jabber Client Framework (JCF) podría permitir que un atacante remoto autenticado lleve a cabo un ataque de Cross-Site Scripting (XSS) contra un usuario de un sistema afectado. • http://www.securityfocus.com/bid/106506 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190109-jcf-im-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-0449 – Cisco Jabber Client Framework Insecure Directory Permissions Vulnerability
https://notcve.org/view.php?id=CVE-2018-0449
A vulnerability in the Cisco Jabber Client Framework (JCF) software, installed as part of the Cisco Jabber for Mac client, could allow an authenticated, local attacker to corrupt arbitrary files on an affected device that has elevated privileges. The vulnerability exists due to insecure directory permissions set on a JCF created directory. An authenticated attacker with the ability to access an affected directory could create a hard link to an arbitrary location on the affected system. An attacker could convince another user that has administrative privileges to perform an install or update the Cisco Jabber for Mac client to perform such actions, allowing files to be created in an arbitrary location on the disk or an arbitrary file to be corrupted when it is appended to or overwritten. Una vulnerabilidad en el software Cisco Jabber Client Framework (JCF), instalado como parte del cliente Cisco Jabber para Mac, podría permitir que un atacante local autenticado corrompa archivos arbitrarios en un dispositivo afectado que cuenta con privilegios elevados. • http://www.securityfocus.com/bid/106520 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190109-jabr-mac-permissions • CWE-275: Permission Issues CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 0CVE-2018-0201
https://notcve.org/view.php?id=CVE-2018-0201
A vulnerability in Cisco Jabber Client Framework (JCF) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of an affected device. The vulnerability is due to improper neutralization of input during web page generation. An attacker could exploit this vulnerability by embedding media in instant messages. An exploit could allow the attacker to cause the recipient chat client to make outbound requests. Cisco Bug IDs: CSCve54001. • http://www.securityfocus.com/bid/103133 http://www.securitytracker.com/id/1040406 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180221-jcf1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2018-0199
https://notcve.org/view.php?id=CVE-2018-0199
A vulnerability in Cisco Jabber Client Framework (JCF) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of an affected device. The vulnerability is due to improper neutralization of script in attributes in a web page. An attacker could exploit this vulnerability by executing arbitrary JavaScript in the Jabber client of the recipient. An exploit could allow the attacker to perform remote code execution. Cisco Bug IDs: CSCve53989. • http://www.securityfocus.com/bid/103143 http://www.securitytracker.com/id/1040407 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180221-jcf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •