CVE-2018-15442
Cisco Webex Meetings Desktop App Update Service Command Injection Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
-Decision
Descriptions
A vulnerability in the update service of Cisco Webex Meetings Desktop App for Windows could allow an authenticated, local attacker to execute arbitrary commands as a privileged user. The vulnerability is due to insufficient validation of user-supplied parameters. An attacker could exploit this vulnerability by invoking the update service command with a crafted argument. An exploit could allow the attacker to run arbitrary commands with SYSTEM user privileges. While the CVSS Attack Vector metric denotes the requirement for an attacker to have local access, administrators should be aware that in Active Directory deployments, the vulnerability could be exploited remotely by leveraging the operating system remote management tools.
Una vulnerabilidad en el servicio de actualizaciones de Cisco Webex Meetings Desktop App para Windows podría permitir que un atacante local autenticado ejecute comandos arbitrarios como usuario privilegiado. Esta vulnerabilidad se debe a una validación insuficiente de los parámetros introducidos por el usuario. Un atacante podría explotar esta vulnerabilidad invocando el comando específico del servicio de actualizaciones con un argumento manipulado. Su explotación con éxito podría permitir que el atacante ejecute comandos arbitrarios con privilegios de usuario SYSTEM. Aunque la métrica del vector de ataque de CVSS denota los requisitos para que un atacante tenga acceso local, los administradores deberían ser conscientes de que, en las implementaciones de Active Directory, la vulnerabilidad podría ser explotada remotamente aprovechando las herramientas de gestión remota del sistema operativo.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2018-08-17 CVE Reserved
- 2018-10-24 CVE Published
- 2024-09-16 CVE Updated
- 2024-09-16 First Exploit
- 2024-11-08 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CAPEC
References (6)
URL | Tag | Source |
---|---|---|
http://www.securityfocus.com/bid/105734 | Third Party Advisory | |
http://www.securitytracker.com/id/1041942 | Third Party Advisory | |
https://webexec.org |
URL | Date | SRC |
---|---|---|
https://www.exploit-db.com/exploits/45696 | 2024-09-16 | |
https://www.exploit-db.com/exploits/45695 | 2024-09-16 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Cisco Search vendor "Cisco" | Webex Meetings Desktop Search vendor "Cisco" for product "Webex Meetings Desktop" | < 33.6.4 Search vendor "Cisco" for product "Webex Meetings Desktop" and version " < 33.6.4" | windows |
Affected
| ||||||
Cisco Search vendor "Cisco" | Webex Productivity Tools Search vendor "Cisco" for product "Webex Productivity Tools" | >= 32.6.0 < 33.0.6 Search vendor "Cisco" for product "Webex Productivity Tools" and version " >= 32.6.0 < 33.0.6" | - |
Affected
|