Detections
Analytics

Cisco Webex Teams Logging Feature Command Execution Vulnerability

high Nessus Plugin ID 136712

Language:

Synopsis

The remote device is missing a vendor-supplied security patch

Description

According to its self-reported version, Cisco Webex Teams client for Windows is affected by a command execution vulnerability due to improper restrictions on software logging features. An unauthenticated, remote attacker could exploit this vulnerability by convincing a targeted user to visit a website designed to submit malicious input to the affected application. A successful exploit allows the attacker to cause the application to modify files and execute arbitrary commands on the system with the privileges of the targeted user.

Please see the included Cisco BID and Cisco Security Advisory for more information.

Solution

Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvp30119

See Also

http://www.nessus.org/u?f0829514

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp30119

Plugin Details

Severity: High

ID: 136712

File Name: cisco-sa-20190904-webex-teams.nasl

Version: 1.4

Type: local

Agent: windows

Family: Windows

Published: 5/19/2020

Updated: 11/5/2024

Configuration: Enable thorough checks

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 6.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2019-1939

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:cisco:webex_teams

Required KB Items: SMB/Registry/Enumerated, installed_sw/Webex Teams

Exploit Ease: No known exploits are available

Patch Publication Date: 9/4/2019

Vulnerability Publication Date: 9/4/2019

Reference Information

CVE: CVE-2019-1939

CWE: 74

CISCO-SA: cisco-sa-20190904-webex-teams

CISCO-BUG-ID: CSCvp30119