CVE-2021-1420 – Cisco Webex Meetings HTML Injection Vulnerability
https://notcve.org/view.php?id=CVE-2021-1420
A vulnerability in certain web pages of Cisco Webex Meetings could allow an unauthenticated, remote attacker to modify a web page in the context of a user's browser. The vulnerability is due to improper checks on parameter values in affected pages. An attacker could exploit this vulnerability by persuading a user to follow a crafted link that is designed to pass HTML code into an affected parameter. A successful exploit could allow the attacker to alter the contents of a web page to redirect the user to potentially malicious websites, or the attacker could use this vulnerability to conduct further client-side attacks. Una vulnerabilidad en determinadas páginas web de Cisco Webex Meetings, podría permitir a un atacante remoto no autenticado modificar una página web en el contexto del navegador de un usuario. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-VObwRKWV • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVE-2021-1351 – Cisco Webex Meetings Cross-Site Scripting Vulnerability
https://notcve.org/view.php?id=CVE-2021-1351
A vulnerability in the web-based interface of Cisco Webex Meetings could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface of the affected service. The vulnerability is due to insufficient validation of user-supplied input by the web-based interface of the affected service. An attacker could exploit this vulnerability by persuading a user of the interface to click a maliciously crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. Una vulnerabilidad en la interfaz basada en web de Cisco Webex Meetings, podría permitir a un atacante remoto no autenticado conducir un ataque de tipo cross-site scripting (XSS) contra un usuario de la interfaz basada en web del servicio afectado. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-xss-Lz6HbGCt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVE-2021-1372 – Cisco Webex Meetings Desktop App and Webex Productivity Tools for Windows Shared Memory Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2021-1372
A vulnerability in Cisco Webex Meetings Desktop App and Webex Productivity Tools for Windows could allow an authenticated, local attacker to gain access to sensitive information on an affected system. This vulnerability is due to the unsafe usage of shared memory by the affected software. An attacker with permissions to view system memory could exploit this vulnerability by running an application on the local system that is designed to read shared memory. A successful exploit could allow the attacker to retrieve sensitive information from the shared memory, including usernames, meeting information, or authentication tokens. Note: To exploit this vulnerability, an attacker must have valid credentials on a Microsoft Windows end-user system and must log in after another user has already authenticated with Webex on the same end-user system. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wda-pt-msh-6LWOcZ5 • CWE-202: Exposure of Sensitive Information Through Data Queries •
CVE-2021-1221 – Cisco Webex Meetings and Cisco Webex Meetings Server Software Hyperlink Injection Vulnerability
https://notcve.org/view.php?id=CVE-2021-1221
A vulnerability in the user interface of Cisco Webex Meetings and Cisco Webex Meetings Server Software could allow an authenticated, remote attacker to inject a hyperlink into a meeting invitation email. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by entering a URL into a field in the user interface. A successful exploit could allow the attacker to generate a Webex Meetings invitation email that contains a link to a destination of their choosing. Because this email is sent from a trusted source, the recipient may be more likely to click the link. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wbx-linkinj-WWZpVqu9 • CWE-20: Improper Input Validation CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVE-2021-1310 – Cisco Webex Meetings Open Redirect Vulnerability
https://notcve.org/view.php?id=CVE-2021-1310
A vulnerability in the web-based management interface of Cisco Webex Meetings could allow an unauthenticated, remote attacker to redirect a user to an untrusted web page, bypassing the warning mechanism that should prompt the user before the redirection. This vulnerability is due to improper input validation of the URL parameters in an HTTP request. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to redirect a user to a malicious website, bypassing the Webex URL check that should result in a warning before the redirection to the web page. Attackers may use this type of vulnerability, known as an open redirect attack, as part of a phishing attack to convince users to unknowingly visit malicious sites. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-open-redirect-PWvBQ2q • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •