CVE-2021-1420

Cisco Webex Meetings HTML Injection Vulnerability

Severity Score

4.7

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

A vulnerability in certain web pages of Cisco Webex Meetings could allow an unauthenticated, remote attacker to modify a web page in the context of a user's browser. The vulnerability is due to improper checks on parameter values in affected pages. An attacker could exploit this vulnerability by persuading a user to follow a crafted link that is designed to pass HTML code into an affected parameter. A successful exploit could allow the attacker to alter the contents of a web page to redirect the user to potentially malicious websites, or the attacker could use this vulnerability to conduct further client-side attacks.

Una vulnerabilidad en determinadas páginas web de Cisco Webex Meetings, podría permitir a un atacante remoto no autenticado modificar una página web en el contexto del navegador de un usuario. La vulnerabilidad es debido a comprobaciones inapropiadas de los valores de los parámetros en páginas afectadas. Un atacante podría explotar esta vulnerabilidad al persuadir a un usuario para seguir un vínculo elaborado que está diseñado para pasar código HTML a un parámetro afectado. Una explotación con éxito podría permitir al atacante alterar el contenido de una página web para redireccionar al usuario a sitios web potencialmente maliciosos, o el atacante podría usar esta vulnerabilidad para conducir más ataques del lado del cliente

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

None

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2020-11-13 CVE Reserved
2021-04-08 CVE Published
2024-04-10 EPSS Updated
2024-11-08 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-VObwRKWV	2023-11-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Cisco Search vendor "Cisco"		Webex Meetings Search vendor "Cisco" for product "Webex Meetings"				-		-		Affected