// For flags

CVE-2019-1866

Cisco Webex Business Suite Host Header Value Integrity Vulnerability

Severity Score

3.7
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

Cisco Webex Business Suite before 39.1.0 contains a vulnerability that could allow an unauthenticated, remote attacker to affect the integrity of the application. The vulnerability is due to improper validation of host header values. An attacker with a privileged network position, either a man-in-the-middle or by intercepting wireless network traffic, could exploit this vulnerability to manipulate header values sent by a client to the affected application. The attacker could cause the application to use input from the header to redirect a user from the Cisco Webex Meetings Online site to an arbitrary site of the attacker's choosing.

Cisco Webex Business Suite versiones anteriores a 39.1.0, contiene una vulnerabilidad que podría permitir a un atacante no autenticado remoto afectar la integridad de la aplicación. La vulnerabilidad es debido a una comprobación inapropiada de los valores del encabezado del host. Un atacante con una posición de red privilegiada, ya sea de tipo man-in-the-middle o mediante la intercepción del tráfico de la red inalámbrica, podría explotar esta vulnerabilidad para manipular los valores de encabezado enviados por un cliente a la aplicación afectada. El atacante podría causar que la aplicación utilice la entrada del encabezado para redireccionar a un usuario desde el sitio de Cisco Webex Meetings Online hacia un sitio arbitrario de la elección del atacante.

*Credits: Cisco would like to thank Prasenjit Kanti Paul for reporting this vulnerability.
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2018-12-06 CVE Reserved
  • 2020-04-13 CVE Published
  • 2023-04-17 EPSS Updated
  • 2024-11-15 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-284: Improper Access Control
  • CWE-345: Insufficient Verification of Data Authenticity
CAPEC
References (1)
URL Tag Source
URL Date SRC
URL Date SRC
URL Date SRC
https://quickview.cloudapps.cisco.com/quickview/bug/CSCvm98833 2020-04-13
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Cisco
Search vendor "Cisco"
 Webex Business Suite 39
Search vendor "Cisco" for product "Webex Business Suite 39"
 < 39.1.0
Search vendor "Cisco" for product "Webex Business Suite 39" and version " < 39.1.0"
-
Affected