CVE-2020-3501

17.08.2020, 18:15

Multiple vulnerabilities in the user interface of Cisco Webex Meetings Desktop App could allow an authenticated, remote attacker to obtain restricted information from other Webex users. These vulnerabilities are due to improper input validation of parameters returned to the application from a web site. An attacker with a valid Webex account could exploit these vulnerabilities by persuading a user to follow a URL that is designed to return malicious path parameters to the affected software. A successful exploit could allow the attacker to obtain restricted information from other Webex users.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	4.1 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
cisco	CNA	4.1 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 38%

Vendor	Product	Version
cisco	webex_meetings	𝑥 < 39.5.24
cisco	webex_meetings	40.4.0 ≤ 𝑥 < 40.4.6
cisco	webex_meetings	40.4.10 ≤ 𝑥 < 40.6.0
cisco	webex_meetings	39.7.4
cisco	webex_meetings_server	3.0
cisco	webex_meetings_server	3.0:maintenance_release1
cisco	webex_meetings_server	3.0:maintenance_release2
cisco	webex_meetings_server	3.0:maintenance_release3
cisco	webex_meetings_server	4.0
cisco	webex_meetings_server	4.0:maintenance_release1
cisco	webex_meetings_server	4.0:maintenance_release2

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-client-g3zevBcp