cnvd - cnvd-2017-16004

cnvd-2017-16004

Vulnerability from cnvd

Title: Cisco WebEx Browser Extension远程代码执行漏洞

Description:

Google Chrome for Windows是美国谷歌（Google）公司开发的一款基于Windows的Web浏览器。Mozilla Firefox for Windows是美国Mozilla基金会的一款基于Windows平台的开源Web浏览器。Cisco WebEx Browser Extension是应用在其中的一个美国思科（Cisco）公司的在线会议扩展插件。

基于Windows平台的Google Chrome和Mozilla firefox上的Cisco WebEx Browser Extension 1.0.12之前的版本中存在远程代码执行漏洞。远程攻击者可通过诱使用户访问恶意的Web页面或点击恶意的链接利用该漏洞执行任意代码。

Severity: 高

Patch Name: Cisco WebEx Browser Extension远程代码执行漏洞的补丁

Patch Description:

基于Windows平台的Google Chrome和Mozilla firefox上的Cisco WebEx Browser Extension 1.0.12之前的版本中存在远程代码执行漏洞。远程攻击者可通过诱使用户访问恶意的Web页面或点击恶意的链接利用该漏洞执行任意代码。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170717-webex

Reference: http://www.securityfocus.com/bid/99614

Impacted products

Name
['Cisco WebEx extension on Mozilla Firefox <1.0.12', 'Cisco WebEx extension on Google Chrome <1.0.12']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "99614"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-6753"
    }
  },
  "description": "Google Chrome for Windows\u662f\u7f8e\u56fd\u8c37\u6b4c\uff08Google\uff09\u516c\u53f8\u5f00\u53d1\u7684\u4e00\u6b3e\u57fa\u4e8eWindows\u7684Web\u6d4f\u89c8\u5668\u3002Mozilla Firefox for Windows\u662f\u7f8e\u56fdMozilla\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u57fa\u4e8eWindows\u5e73\u53f0\u7684\u5f00\u6e90Web\u6d4f\u89c8\u5668\u3002Cisco WebEx Browser Extension\u662f\u5e94\u7528\u5728\u5176\u4e2d\u7684\u4e00\u4e2a\u7f8e\u56fd\u601d\u79d1\uff08Cisco\uff09\u516c\u53f8\u7684\u5728\u7ebf\u4f1a\u8bae\u6269\u5c55\u63d2\u4ef6\u3002\r\n\r\n\u57fa\u4e8eWindows\u5e73\u53f0\u7684Google Chrome\u548cMozilla firefox\u4e0a\u7684Cisco WebEx Browser Extension 1.0.12\u4e4b\u524d\u7684\u7248\u672c\u4e2d\u5b58\u5728\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u8bf1\u4f7f\u7528\u6237\u8bbf\u95ee\u6076\u610f\u7684Web\u9875\u9762\u6216\u70b9\u51fb\u6076\u610f\u7684\u94fe\u63a5\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002",
  "discovererName": "Tavis Ormandy of Google Project Zero and Cris Neckar of Divergent Security.",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170717-webex",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-16004",
  "openTime": "2017-07-24",
  "patchDescription": "Google Chrome for Windows\u662f\u7f8e\u56fd\u8c37\u6b4c\uff08Google\uff09\u516c\u53f8\u5f00\u53d1\u7684\u4e00\u6b3e\u57fa\u4e8eWindows\u7684Web\u6d4f\u89c8\u5668\u3002Mozilla Firefox for Windows\u662f\u7f8e\u56fdMozilla\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u57fa\u4e8eWindows\u5e73\u53f0\u7684\u5f00\u6e90Web\u6d4f\u89c8\u5668\u3002Cisco WebEx Browser Extension\u662f\u5e94\u7528\u5728\u5176\u4e2d\u7684\u4e00\u4e2a\u7f8e\u56fd\u601d\u79d1\uff08Cisco\uff09\u516c\u53f8\u7684\u5728\u7ebf\u4f1a\u8bae\u6269\u5c55\u63d2\u4ef6\u3002\r\n\r\n\u57fa\u4e8eWindows\u5e73\u53f0\u7684Google Chrome\u548cMozilla firefox\u4e0a\u7684Cisco WebEx Browser Extension 1.0.12\u4e4b\u524d\u7684\u7248\u672c\u4e2d\u5b58\u5728\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u8bf1\u4f7f\u7528\u6237\u8bbf\u95ee\u6076\u610f\u7684Web\u9875\u9762\u6216\u70b9\u51fb\u6076\u610f\u7684\u94fe\u63a5\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Cisco WebEx Browser Extension\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Cisco WebEx extension on Mozilla Firefox \u003c1.0.12",
      "Cisco WebEx extension on Google Chrome \u003c1.0.12"
    ]
  },
  "referenceLink": "http://www.securityfocus.com/bid/99614",
  "serverity": "\u9ad8",
  "submitTime": "2017-07-18",
  "title": "Cisco WebEx Browser Extension\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e"
}

CVE-2017-6753 (GCVE-0-2017-6753)

Vulnerability from cvelistv5

Published

2017-07-25 19:00

Modified

2024-08-05 15:41

Severity ?

CWE

CWE-119

Summary

A vulnerability in Cisco WebEx browser extensions for Google Chrome and Mozilla Firefox could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the affected browser on an affected system. This vulnerability affects the browser extensions for Cisco WebEx Meetings Server, Cisco WebEx Centers (Meeting Center, Event Center, Training Center, and Support Center), and Cisco WebEx Meetings when they are running on Microsoft Windows. The vulnerability is due to a design defect in the extension. An attacker who can convince an affected user to visit an attacker-controlled web page or follow an attacker-supplied link with an affected browser could exploit the vulnerability. If successful, the attacker could execute arbitrary code with the privileges of the affected browser. The following versions of the Cisco WebEx browser extensions are affected: Versions prior to 1.0.12 of the Cisco WebEx extension on Google Chrome, Versions prior to 1.0.12 of the Cisco WebEx extension on Mozilla Firefox. Cisco Bug IDs: CSCvf15012 CSCvf15020 CSCvf15030 CSCvf15033 CSCvf15036 CSCvf15037.

References

▼	URL	Tags
	http://www.securitytracker.com/id/1038911	vdb-entry, x_refsource_SECTRACK
	http://www.securityfocus.com/bid/99614	vdb-entry, x_refsource_BID
	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170717-webex	x_refsource_CONFIRM
	http://www.securitytracker.com/id/1038910	vdb-entry, x_refsource_SECTRACK
	http://www.securitytracker.com/id/1038909	vdb-entry, x_refsource_SECTRACK

Impacted products

	Vendor	Product	Version
	n/a	Cisco WebEx Browser Extension	Version: Cisco WebEx Browser Extension

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T15:41:17.545Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "1038911",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1038911"
          },
          {
            "name": "99614",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/99614"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170717-webex"
          },
          {
            "name": "1038910",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1038910"
          },
          {
            "name": "1038909",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1038909"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Cisco WebEx Browser Extension",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Cisco WebEx Browser Extension"
            }
          ]
        }
      ],
      "datePublic": "2017-07-25T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability in Cisco WebEx browser extensions for Google Chrome and Mozilla Firefox could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the affected browser on an affected system. This vulnerability affects the browser extensions for Cisco WebEx Meetings Server, Cisco WebEx Centers (Meeting Center, Event Center, Training Center, and Support Center), and Cisco WebEx Meetings when they are running on Microsoft Windows. The vulnerability is due to a design defect in the extension. An attacker who can convince an affected user to visit an attacker-controlled web page or follow an attacker-supplied link with an affected browser could exploit the vulnerability. If successful, the attacker could execute arbitrary code with the privileges of the affected browser. The following versions of the Cisco WebEx browser extensions are affected: Versions prior to 1.0.12 of the Cisco WebEx extension on Google Chrome, Versions prior to 1.0.12 of the Cisco WebEx extension on Mozilla Firefox. Cisco Bug IDs: CSCvf15012 CSCvf15020 CSCvf15030 CSCvf15033 CSCvf15036 CSCvf15037."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-119",
              "description": "CWE-119",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-07-26T09:57:01",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "name": "1038911",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1038911"
        },
        {
          "name": "99614",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/99614"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170717-webex"
        },
        {
          "name": "1038910",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1038910"
        },
        {
          "name": "1038909",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1038909"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@cisco.com",
          "ID": "CVE-2017-6753",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Cisco WebEx Browser Extension",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Cisco WebEx Browser Extension"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A vulnerability in Cisco WebEx browser extensions for Google Chrome and Mozilla Firefox could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the affected browser on an affected system. This vulnerability affects the browser extensions for Cisco WebEx Meetings Server, Cisco WebEx Centers (Meeting Center, Event Center, Training Center, and Support Center), and Cisco WebEx Meetings when they are running on Microsoft Windows. The vulnerability is due to a design defect in the extension. An attacker who can convince an affected user to visit an attacker-controlled web page or follow an attacker-supplied link with an affected browser could exploit the vulnerability. If successful, the attacker could execute arbitrary code with the privileges of the affected browser. The following versions of the Cisco WebEx browser extensions are affected: Versions prior to 1.0.12 of the Cisco WebEx extension on Google Chrome, Versions prior to 1.0.12 of the Cisco WebEx extension on Mozilla Firefox. Cisco Bug IDs: CSCvf15012 CSCvf15020 CSCvf15030 CSCvf15033 CSCvf15036 CSCvf15037."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-119"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "1038911",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1038911"
            },
            {
              "name": "99614",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/99614"
            },
            {
              "name": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170717-webex",
              "refsource": "CONFIRM",
              "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170717-webex"
            },
            {
              "name": "1038910",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1038910"
            },
            {
              "name": "1038909",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1038909"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2017-6753",
    "datePublished": "2017-07-25T19:00:00",
    "dateReserved": "2017-03-09T00:00:00",
    "dateUpdated": "2024-08-05T15:41:17.545Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted