Cisco said the fault allowed an unverified attacker to join password-protected meetings without the necessity to deliver a password. For the verification bypass to work, the attacker would need to start the connection from the iOS or Android versions of the Webex mobile app.
Cisco Webex Vulnerability Exploited to Join Meetings Without a Password
-2020-3142Access VectorAffected PlatformsComplexityDescriptionExploitabilityReportedRisk LevelSTD CodeTitleVersion------------------------------ Network Cisco Webex Meetings Suite sites 39.11.0Cisco Webex Meetings Suite sites 40.1.0Cisco Webex Meetings Online sites 39.11.0Cisco Webex Meetings Online sites 40.1.0 Low Cisco Webex Meetings Suite sites and Cisco Webex Meetings Online sites could allow a remote attacker to obtain sensitive information, caused by unintended meeting information exposure in a specific meeting join flow for mobile applications. By accessing a known meeting ID or meeting URL from the mobile devices web browser, an attacker could exploit this vulnerability to join a password-protected meeting without providing the meeting password. Unproven 2020-01-24T00:00:00Z 7.5 CVE-2020-3142 Cisco Webex Meetings Suite sites information disclosure 3.0
-2014-0160Access VectorAffected PlatformsComplexityDescriptionExploitabilityReportedRisk LevelSTD CodeTitleVersion------------------------------ Network OpenSSL OpenSSL 1.0.1AOpenSSL OpenSSL 1.0.1BOpenSSL OpenSSL 1.0.1cOpenSSL OpenSSL 1.0.1DOpenSSL OpenSSL 1.0.1EOpenSSL OpenSSL 1.0.1f Low OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the TLS/DTLS heartbeat functionality. An attacker could exploit this vulnerability to remotely read system memory contents without needing to log on to the server. Successful exploitation could allow an attacker to retrieve private keys, passwords or other sensitive information.This vulnerability is commonly referred to as "Heartbleed". Functional 2014-04-07T00:00:00Z 5 CVE-2014-0160US-CERT VU#720951BID-66690SA57347RHSA-2014-0376RHSA-2014-0378SA57692SA57764SA57759SA57758SA57756SA57786SA57755SA57683SA57810SA57386SA57715SA57822SA57833SA57816SA57772SA57799SA57742SA57785SA57805RHSA-2014-0396SA57887SA57858SA57863SA57894SA57881SA57774SA57866SA57884SA57251SA57775SA57890SA57701SA57888SA57738SA57909SA57900SA57853SA57770SA57773SA57735SA57958SA57483SA57744SA57757SA57850SA57876SA57869SA57921SA57920SA57454SA57628SA57793SA57857SA57972SA57970SA57836SA57966SA57968SA58004SA58005SA58028SA57864SA57979SA58032SA57954SA57999SA57763SA57982SA58024SA57824SA58009SA58033SA57974SA58049SA58046SA57817SA58098SA58048SA58040SA58062SA57815SA58102SA58052SA57941SA57807SA57852SA58113SA58107SA58114SA58115SA58008SA57983SA57969SA57961SA57851SA57960SA57789SA57985SA57984SA58056SA58029SA57512SA58164SA58184SA57911SA58183SA58175SA58166SA57951SA57947SA58171SA58178SA57963SA58167SA57949SA58146SA58019SA58172SA57826SA58182SA58244SA58162SA58188SA58185SA58069SA58058SA58148SA58223SA58124SA58204SA58187SA58190SA58161SA58017SA58195SA58053SA58007SA58022SA58176BID-67206 OpenSSL heartbeat information disclosure 2.0
Vulnerabilities, for one. Threat actors are not shy about using everything they have in their toolbox, and are always on the lookout for any flaw or vulnerability they can exploit to pull off malicious attacks. For example, in early 2020, a vulnerability in Webex allowed unauthenticated users the ability to join private meetings with just the meeting ID and a mobile Webex app.
2ff7e9595c
Comments