Cisco WebEx Meeting Center GET Parameter Vulnerability

Available Languages

Updated:October 8, 2015
Document ID:1454775065065866

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Cisco Security Advisory

Cisco WebEx Meeting Center GET Parameter Vulnerability

Medium
Advisory ID:
Cisco-SA-20150623-CVE-2015-4208
First Published:
2015 June 23 14:47 GMT
Version 1.0:
Final
Workarounds:
See below
CVE-2015-4208
CWE-200
CVSS Score:
Base 6.4, Temporal 5.6Click Icon to Copy Verbose Score
AV:N/AC:L/Au:N/C:P/I:P/A:N/E:H/RL:OF/RC:C
CVE-2015-4208
CWE-200

Summary

  • A vulnerability in Cisco WebEx Meeting Center could allow an unauthenticated, remote attacker to view sensitive information that is transmitted in GET parameters or perform SQL injection.
     
    The vulnerability is due to the inclusion of sensitive information in the URL as GET parameters. An attacker could exploit this vulnerability by viewing application URL requests containing sensitive information in GET parameters or by injecting SQL commands directly into the URL.

    Cisco has confirmed the vulnerability and released software updates.

    A successful exploit of this vulnerability could be leveraged by an attacker to conduct further attacks. Administrators are advised to ensure only trusted users have authorized access to interact with an affected device.

Affected Products

  • Cisco has released bug ID CSCup88398 for registered users, which contains additional details and an up-to-date list of affected product versions.

    Vulnerable Products

    Cisco Hosted WebEx Meeting Center is vulnerable.

    Products Confirmed Not Vulnerable

    No other Cisco products are currently known to be affected by these vulnerabilities.

Workarounds

  • Administrators are advised to apply the appropriate updates.

    Administrators are advised to allow only trusted users to have network access.

    For additional information about SQL injection attacks and defenses, see Understanding SQL Injection.

    Administrators are advised to monitor affected systems.

Fixed Software

  • Cisco customers with active contracts can obtain updates through the Software Center at the following link: Cisco. Cisco customers without contracts can obtain upgrades by contacting the Cisco Technical Assistance Center at 1-800-553-2447 or 1-408-526-7209 or via email at tac@cisco.com.

Exploitation and Public Announcements

  • The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

Cisco Security Vulnerability Policy

  • To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

URL

Revision History

  • VersionDescriptionSectionStatusDate
    1.0Initial ReleaseNAFinal2015-Jun-23
    Show Less

Cisco Security Vulnerability Policy

  • To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.

Subscribe to Cisco Security Notifications