Vulnerability Name:

CVE-2020-3502 (CCN-186293)

Assigned:2019-12-12
Published:2020-08-05
Updated:2020-08-19
Summary:Multiple vulnerabilities in the user interface of Cisco Webex Meetings Desktop App could allow an authenticated, remote attacker to obtain restricted information from other Webex users. These vulnerabilities are due to improper input validation of parameters returned to the application from a web site. An attacker with a valid Webex account could exploit these vulnerabilities by persuading a user to follow a URL that is designed to return malicious path parameters to the affected software. A successful exploit could allow the attacker to obtain restricted information from other Webex users.
CVSS v3 Severity:4.1 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N)
3.6 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
4.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N)
3.6 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:3.5 Low (CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-20
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2020-3502

Source: XF
Type: UNKNOWN
cisco-cve20203502-info-disc(186293)

Source: CCN
Type: Cisco Security Advisory cisco-sa-webex-client-g3zevBcp
Cisco Webex Meetings Desktop App Information Disclosure Vulnerabilities

Source: CISCO
Type: Vendor Advisory
20200805 Cisco Webex Meetings Desktop App Information Disclosure Vulnerabilities

Vulnerable Configuration:Configuration 1:
  • cpe:/a:cisco:webex_meetings:*:*:*:*:*:*:*:* (Version < 39.5.24)
  • OR cpe:/a:cisco:webex_meetings:39.7.4:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:webex_meetings:*:*:*:*:*:*:*:* (Version >= 40.4.0 and < 40.4.6)
  • OR cpe:/a:cisco:webex_meetings:*:*:*:*:*:*:*:* (Version >= 40.4.10 and < 40.6.0)
  • OR cpe:/a:cisco:webex_meetings_server:3.0:-:*:*:*:*:*:*
  • OR cpe:/a:cisco:webex_meetings_server:3.0:maintenance_release1:*:*:*:*:*:*
  • OR cpe:/a:cisco:webex_meetings_server:3.0:maintenance_release2:*:*:*:*:*:*
  • OR cpe:/a:cisco:webex_meetings_server:3.0:maintenance_release3:*:*:*:*:*:*
  • OR cpe:/a:cisco:webex_meetings_server:4.0:-:*:*:*:*:*:*
  • OR cpe:/a:cisco:webex_meetings_server:4.0:maintenance_release1:*:*:*:*:*:*
  • OR cpe:/a:cisco:webex_meetings_server:4.0:maintenance_release2:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    cisco webex meetings *
    cisco webex meetings 39.7.4
    cisco webex meetings *
    cisco webex meetings *
    cisco webex meetings server 3.0 -
    cisco webex meetings server 3.0 maintenance_release1
    cisco webex meetings server 3.0 maintenance_release2
    cisco webex meetings server 3.0 maintenance_release3
    cisco webex meetings server 4.0 -
    cisco webex meetings server 4.0 maintenance_release1
    cisco webex meetings server 4.0 maintenance_release2