Vulnslist

Cisco vulnerabilities by product, model, software, and advisory.

Cisco WebEx Meetings Server Information Disclosure Vulnerability

cisco-sa-20170510-cwms · High · Published · Updated

A vulnerability in Cisco WebEx Meetings Server could allow unauthenticated, remote attackers to gain information that could allow them to access scheduled customer meetings. The vulnerability is due to an incomplete configuration of the robots.txt file on customer-hosted WebEx solutions and occurs when the Short URL functionality is not activated. All releases of Cisco WebEx Meetings Server later than release 2.5MR4 provide this functionality. An attacker could exploit this vulnerability via an exposed parameter to search for indexed meeting information. A successful exploit could allow the attacker to obtain scheduled meeting information and potentially allow the attacker to attend scheduled, customer meetings. Cisco has released software updates that address this vulnerability. Workarounds are available to address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170510-cwms

Cisco advisory · CSAF JSON

Workarounds

Customers can enable the Short URL functionality for their individual releases by following the steps in the guide for the appropriate release detailed in the following list. Note: Customers are recommended to configure the block long URL links option below the Short URL function. Once the block long URL links functionality is activated, all previously scheduled meetings become invalid. Customers must reschedule all existing recurring meetings. It is also recommended that customers change their meeting passwords when rescheduling for added security protections.

Guides for Enabling Short URL Functionality

Administration Guide for Release 2.5 ["http://www.cisco.com/c/en/us/td/docs/collaboration/CWMS/2_5/Administration_Guide/Administration_Guide/Administration_Guide_chapter_01111.html#task_E8A47834C9C140ADA3E05809DF253F11"]
Administration Guide for Release 2.6 ["http://www.cisco.com/c/en/us/td/docs/collaboration/CWMS/2_6/Administration_Guide/Administration_Guide/Administration_Guide_chapter_01110.html#task_E8A47834C9C140ADA3E05809DF253F11"]
Administration Guide for Release 2.7 ["http://www.cisco.com/c/en/us/td/docs/collaboration/CWMS/2_7/Administration_Guide/cwms_b_cwms-administration-2-7/cwms_b_cwms-administration-2-7_chapter_01110.html#task_E8A47834C9C140ADA3E05809DF253F11"]
Administration Guide for Release 2.8 ["http://www.cisco.com/c/en/us/td/docs/collaboration/CWMS/2_8/Administration_Guide/cwms_b_cwms-administration-2-8/cwms_b_cwms-administration-2-8test_chapter_01110.html#task_E8A47834C9C140ADA3E05809DF253F11"]

CVEsCVE-2017-6651
Cisco Bug IDsCSCve25950
CVSS ScoreBase 7.5
Base 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:X/RL:X/RC:X
Product Names From Source
Cisco WebEx Meetings Server

Related Products

Product CVE Evidence
Cisco Webex Meetings CVE-2017-6651 Cisco OpenVuln
Cisco WebEx Meetings Server CVE-2017-6651 Cisco OpenVuln