CVE-2020-3502

Multiple vulnerabilities in the user interface of Cisco Webex Meetings Desktop App could allow an authenticated, remote attacker to obtain restricted information from other Webex users. These vulnerabilities are due to improper input validation of parameters returned to the application from a web site. An attacker with a valid Webex account could exploit these vulnerabilities by persuading a user to follow a URL that is designed to return malicious path parameters to the affected software. A successful exploit could allow the attacker to obtain restricted information from other Webex users.

CVSS v3 4.1 MEDIUM
CVSS v2.0 3.5 LOW

4.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

3.5^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:M/Au:S/C:P/I:N/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-client-g3zevBcp	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:cisco:webex_meetings::::::::
	cpe:2.3:a:cisco:webex_meetings::::::::
	cpe:2.3:a:cisco:webex_meetings::::::::
	cpe:2.3:a:cisco:webex_meetings:39.7.4:::::::*
	cpe:2.3:a:cisco:webex_meetings_server:3.0:-::::::
	cpe:2.3:a:cisco:webex_meetings_server:3.0:maintenance_release1::::::
	cpe:2.3:a:cisco:webex_meetings_server:3.0:maintenance_release2::::::
	cpe:2.3:a:cisco:webex_meetings_server:3.0:maintenance_release3::::::
	cpe:2.3:a:cisco:webex_meetings_server:4.0:-::::::
	cpe:2.3:a:cisco:webex_meetings_server:4.0:maintenance_release1::::::
	cpe:2.3:a:cisco:webex_meetings_server:4.0:maintenance_release2::::::

History

No history.

Information

Published : 2020-08-17 18:15

Updated : 2024-02-28 17:47

NVD link : CVE-2020-3502

Mitre link : CVE-2020-3502

CVE.ORG link : CVE-2020-3502

JSON object : View

Products Affected

cisco

webex_meetings_server
webex_meetings

CWE

CWE-20

Improper Input Validation

{"id": "CVE-2020-3502", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.3}, {"type": "Secondary", "source": "ykramarz@cisco.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.3}]}, "published": "2020-08-17T18:15:14.103", "references": [{"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-client-g3zevBcp", "tags": ["Vendor Advisory"], "source": "ykramarz@cisco.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}]}, {"type": "Secondary", "source": "ykramarz@cisco.com", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "Multiple vulnerabilities in the user interface of Cisco Webex Meetings Desktop App could allow an authenticated, remote attacker to obtain restricted information from other Webex users. These vulnerabilities are due to improper input validation of parameters returned to the application from a web site. An attacker with a valid Webex account could exploit these vulnerabilities by persuading a user to follow a URL that is designed to return malicious path parameters to the affected software. A successful exploit could allow the attacker to obtain restricted information from other Webex users."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades en la interfaz de usuario de Cisco Webex Meetings Desktop App podr\u00edan permitir a un atacante remoto autenticado obtener informaci\u00f3n restringida de otros usuarios de Webex. Estas vulnerabilidades son debido a una comprobaci\u00f3n de entrada inapropiada de los par\u00e1metros devueltos a la aplicaci\u00f3n desde un sitio web. Un atacante con una cuenta de Webex v\u00e1lida podr\u00eda explotar estas vulnerabilidades al persuadir a un usuario a seguir una URL dise\u00f1ada para devolver par\u00e1metros de ruta maliciosos al software afectado. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir al atacante obtener informaci\u00f3n restringida de otros usuarios de Webex."}], "lastModified": "2023-11-07T03:22:49.040", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cisco:webex_meetings:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5FDF9D9B-D876-4C89-AE65-1F54EF19B2AC", "versionEndExcluding": "39.5.24"}, {"criteria": "cpe:2.3:a:cisco:webex_meetings:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A54DDCE9-2907-4833-97BE-197726344481", "versionEndExcluding": "40.4.6", "versionStartIncluding": "40.4.0"}, {"criteria": "cpe:2.3:a:cisco:webex_meetings:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "99F3A597-ABD0-4404-AF49-CEC9650C3FB0", "versionEndExcluding": "40.6.0", "versionStartIncluding": "40.4.10"}, {"criteria": "cpe:2.3:a:cisco:webex_meetings:39.7.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8A9F521F-5D30-4DE7-A308-D1EC7F17C5FB"}, {"criteria": "cpe:2.3:a:cisco:webex_meetings_server:3.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "61D1081F-87E8-4E8B-BEBD-0F239E745586"}, {"criteria": "cpe:2.3:a:cisco:webex_meetings_server:3.0:maintenance_release1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8D138973-02B0-4FEC-A646-FF1278DA1EDF"}, {"criteria": "cpe:2.3:a:cisco:webex_meetings_server:3.0:maintenance_release2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "30B55A5B-8C5E-4ECB-9C85-A8A3A3030850"}, {"criteria": "cpe:2.3:a:cisco:webex_meetings_server:3.0:maintenance_release3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "14DBEC10-0641-441C-BE15-8F72C1762DCE"}, {"criteria": "cpe:2.3:a:cisco:webex_meetings_server:4.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4D6CF856-093A-4E89-A71D-50A2887C265B"}, {"criteria": "cpe:2.3:a:cisco:webex_meetings_server:4.0:maintenance_release1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B36A9043-0621-43CD-BFCD-66529F937859"}, {"criteria": "cpe:2.3:a:cisco:webex_meetings_server:4.0:maintenance_release2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8842B42E-C412-4356-9F54-DFC53B683D3E"}], "operator": "OR"}]}], "sourceIdentifier": "ykramarz@cisco.com"}