CVE-2020-3441

18.11.2020, 19:15

A vulnerability in Cisco Webex Meetings and Cisco Webex Meetings Server could allow an unauthenticated, remote attacker to view sensitive information from the meeting room lobby. This vulnerability is due to insufficient protection of sensitive participant information. An attacker could exploit this vulnerability by browsing the Webex roster. A successful exploit could allow the attacker to gather information about other Webex participants, such as email address and IP address, while waiting in the lobby.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cisco	CNA	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 73%

Vendor	Product	Version
cisco	webex_meetings	𝑥 ≤ 40.6.11
cisco	webex_meetings	𝑥 ≤ 40.11.3
cisco	webex_meetings_server	𝑥 < 3.0
cisco	webex_meetings_server	3.0:maintenance_release2
cisco	webex_meetings_server	3.0:maintenance_release3
cisco	webex_meetings_server	4.0
cisco	webex_meetings_server	4.0:maintenance_release1
cisco	webex_meetings_server	4.0:maintenance_release2

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-infodisc-4tvQzn4