cnvd - cnvd-2018-11319

cnvd-2018-11319

Vulnerability from cnvd

Title: Cisco WebEx跨站脚本漏洞

Description:

Cisco WebEx是美国思科（Cisco）公司的一套Web会议工具，该工具可协助异地办公人员进行协调合作。WebEx服务包括Web会议、网真视频会议和企业即时消息(IM)等。

Cisco WebEx中的Web框架存在跨站脚本漏洞，该漏洞源于程序未能充分的验证通过HTTP GET和HTTP POST方法传递到受影响软件的参数。远程攻击者可通过诱使用户打开攻击者提供的链接利用该漏洞在用户浏览器中执行任意脚本或HTML。

Severity: 中

Patch Name: Cisco WebEx跨站脚本漏洞的补丁

Patch Description:

Cisco WebEx中的Web框架存在跨站脚本漏洞，该漏洞源于程序未能充分的验证通过HTTP GET和HTTP POST方法传递到受影响软件的参数。远程攻击者可通过诱使用户打开攻击者提供的链接利用该漏洞在用户浏览器中执行任意脚本或HTML。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布漏洞修复程序，请及时关注更新： https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-webex-xss

Reference: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-webex-xss

Impacted products

Name
Cisco WebEx 0

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "104421"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-0356"
    }
  },
  "description": "Cisco WebEx\u662f\u7f8e\u56fd\u601d\u79d1\uff08Cisco\uff09\u516c\u53f8\u7684\u4e00\u5957Web\u4f1a\u8bae\u5de5\u5177\uff0c\u8be5\u5de5\u5177\u53ef\u534f\u52a9\u5f02\u5730\u529e\u516c\u4eba\u5458\u8fdb\u884c\u534f\u8c03\u5408\u4f5c\u3002WebEx\u670d\u52a1\u5305\u62ecWeb\u4f1a\u8bae\u3001\u7f51\u771f\u89c6\u9891\u4f1a\u8bae\u548c\u4f01\u4e1a\u5373\u65f6\u6d88\u606f(IM)\u7b49\u3002\r\n\r\nCisco WebEx\u4e2d\u7684Web\u6846\u67b6\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u80fd\u5145\u5206\u7684\u9a8c\u8bc1\u901a\u8fc7HTTP GET\u548cHTTP POST\u65b9\u6cd5\u4f20\u9012\u5230\u53d7\u5f71\u54cd\u8f6f\u4ef6\u7684\u53c2\u6570\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u8bf1\u4f7f\u7528\u6237\u6253\u5f00\u653b\u51fb\u8005\u63d0\u4f9b\u7684\u94fe\u63a5\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u7528\u6237\u6d4f\u89c8\u5668\u4e2d\u6267\u884c\u4efb\u610f\u811a\u672c\u6216HTML\u3002",
  "discovererName": "Adam Willard",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-webex-xss",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-11319",
  "openTime": "2018-06-12",
  "patchDescription": "Cisco WebEx\u662f\u7f8e\u56fd\u601d\u79d1\uff08Cisco\uff09\u516c\u53f8\u7684\u4e00\u5957Web\u4f1a\u8bae\u5de5\u5177\uff0c\u8be5\u5de5\u5177\u53ef\u534f\u52a9\u5f02\u5730\u529e\u516c\u4eba\u5458\u8fdb\u884c\u534f\u8c03\u5408\u4f5c\u3002WebEx\u670d\u52a1\u5305\u62ecWeb\u4f1a\u8bae\u3001\u7f51\u771f\u89c6\u9891\u4f1a\u8bae\u548c\u4f01\u4e1a\u5373\u65f6\u6d88\u606f(IM)\u7b49\u3002\r\n\r\nCisco WebEx\u4e2d\u7684Web\u6846\u67b6\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u80fd\u5145\u5206\u7684\u9a8c\u8bc1\u901a\u8fc7HTTP GET\u548cHTTP POST\u65b9\u6cd5\u4f20\u9012\u5230\u53d7\u5f71\u54cd\u8f6f\u4ef6\u7684\u53c2\u6570\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u8bf1\u4f7f\u7528\u6237\u6253\u5f00\u653b\u51fb\u8005\u63d0\u4f9b\u7684\u94fe\u63a5\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u7528\u6237\u6d4f\u89c8\u5668\u4e2d\u6267\u884c\u4efb\u610f\u811a\u672c\u6216HTML\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Cisco WebEx\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Cisco WebEx 0"
  },
  "referenceLink": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-webex-xss",
  "serverity": "\u4e2d",
  "submitTime": "2018-06-07",
  "title": "Cisco WebEx\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

CVE-2018-0356 (GCVE-0-2018-0356)

Vulnerability from cvelistv5

Published

2018-06-07 21:00

Modified

2024-11-29 15:03

Severity ?

CWE

CWE-79

Summary

A vulnerability in the web framework of Cisco WebEx could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web interface of an affected system. The vulnerability is due to insufficient input validation of certain parameters that are passed to the affected software via the HTTP GET and HTTP POST methods. An attacker who can convince a user to follow an attacker-supplied link could execute arbitrary script or HTML code in the user's browser in the context of an affected site. Cisco Bug IDs: CSCvi63757.

References

▼	URL	Tags
	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-webex-xss	x_refsource_CONFIRM
	http://www.securityfocus.com/bid/104421	vdb-entry, x_refsource_BID
	http://www.securitytracker.com/id/1041062	vdb-entry, x_refsource_SECTRACK

Impacted products

	Vendor	Product	Version
	n/a	Cisco WebEx unknown	Version: Cisco WebEx unknown

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T03:21:15.588Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-webex-xss"
          },
          {
            "name": "104421",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/104421"
          },
          {
            "name": "1041062",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1041062"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2018-0356",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-29T14:37:43.006053Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-29T15:03:19.160Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Cisco WebEx unknown",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Cisco WebEx unknown"
            }
          ]
        }
      ],
      "datePublic": "2018-06-07T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability in the web framework of Cisco WebEx could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web interface of an affected system. The vulnerability is due to insufficient input validation of certain parameters that are passed to the affected software via the HTTP GET and HTTP POST methods. An attacker who can convince a user to follow an attacker-supplied link could execute arbitrary script or HTML code in the user\u0027s browser in the context of an affected site. Cisco Bug IDs: CSCvi63757."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-06-14T09:57:01",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-webex-xss"
        },
        {
          "name": "104421",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/104421"
        },
        {
          "name": "1041062",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1041062"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@cisco.com",
          "ID": "CVE-2018-0356",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Cisco WebEx unknown",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Cisco WebEx unknown"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A vulnerability in the web framework of Cisco WebEx could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web interface of an affected system. The vulnerability is due to insufficient input validation of certain parameters that are passed to the affected software via the HTTP GET and HTTP POST methods. An attacker who can convince a user to follow an attacker-supplied link could execute arbitrary script or HTML code in the user\u0027s browser in the context of an affected site. Cisco Bug IDs: CSCvi63757."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-webex-xss",
              "refsource": "CONFIRM",
              "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-webex-xss"
            },
            {
              "name": "104421",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/104421"
            },
            {
              "name": "1041062",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1041062"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2018-0356",
    "datePublished": "2018-06-07T21:00:00",
    "dateReserved": "2017-11-27T00:00:00",
    "dateUpdated": "2024-11-29T15:03:19.160Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted