cnvd - cnvd-2020-70855

cnvd-2020-70855

Vulnerability from cnvd

Title: Cisco Webex Teams跨站脚本漏洞

Description:

Cisco Webex Teams是一款综合通信应用程序，旨在为您提供所有必要的工具和合适的环境以增强团队协作。

Cisco Webex Teams的Web界面存在跨站脚本漏洞。该漏洞源于对用户名验证不当。攻击者可利用该漏洞进行跨站脚本攻击并访问敏感的基于浏览器的信息。

Severity: 中

Patch Name: Cisco Webex Teams跨站脚本漏洞的补丁

Patch Description:

Cisco Webex Teams是一款综合通信应用程序，旨在为您提供所有必要的工具和合适的环境以增强团队协作。

Cisco Webex Teams的Web界面存在跨站脚本漏洞。该漏洞源于对用户名验证不当。攻击者可利用该漏洞进行跨站脚本攻击并访问敏感的基于浏览器的信息。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-teams-xss-zLW9tD3

Reference: https://www.auscert.org.au/bulletins/ESB-2020.3856/

Impacted products

Name
Cisco Cisco Webex Teams

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-26067",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-26067"
    }
  },
  "description": "Cisco Webex Teams\u662f\u4e00\u6b3e\u7efc\u5408\u901a\u4fe1\u5e94\u7528\u7a0b\u5e8f\uff0c\u65e8\u5728\u4e3a\u60a8\u63d0\u4f9b\u6240\u6709\u5fc5\u8981\u7684\u5de5\u5177\u548c\u5408\u9002\u7684\u73af\u5883\u4ee5\u589e\u5f3a\u56e2\u961f\u534f\u4f5c\u3002\n\nCisco Webex Teams\u7684Web\u754c\u9762\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5bf9\u7528\u6237\u540d\u9a8c\u8bc1\u4e0d\u5f53\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8fdb\u884c\u8de8\u7ad9\u811a\u672c\u653b\u51fb\u5e76\u8bbf\u95ee\u654f\u611f\u7684\u57fa\u4e8e\u6d4f\u89c8\u5668\u7684\u4fe1\u606f\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-teams-xss-zLW9tD3",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-70855",
  "openTime": "2020-12-11",
  "patchDescription": "Cisco Webex Teams\u662f\u4e00\u6b3e\u7efc\u5408\u901a\u4fe1\u5e94\u7528\u7a0b\u5e8f\uff0c\u65e8\u5728\u4e3a\u60a8\u63d0\u4f9b\u6240\u6709\u5fc5\u8981\u7684\u5de5\u5177\u548c\u5408\u9002\u7684\u73af\u5883\u4ee5\u589e\u5f3a\u56e2\u961f\u534f\u4f5c\u3002\r\n\r\nCisco Webex Teams\u7684Web\u754c\u9762\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5bf9\u7528\u6237\u540d\u9a8c\u8bc1\u4e0d\u5f53\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8fdb\u884c\u8de8\u7ad9\u811a\u672c\u653b\u51fb\u5e76\u8bbf\u95ee\u654f\u611f\u7684\u57fa\u4e8e\u6d4f\u89c8\u5668\u7684\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Cisco Webex Teams\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Cisco Cisco Webex Teams"
  },
  "referenceLink": "https://www.auscert.org.au/bulletins/ESB-2020.3856/",
  "serverity": "\u4e2d",
  "submitTime": "2020-11-05",
  "title": "Cisco Webex Teams\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

CVE-2020-26067 (GCVE-0-2020-26067)

Vulnerability from cvelistv5

Published

2024-11-18 16:10

Modified

2024-11-26 14:41

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

Summary

A vulnerability in the web-based interface of Cisco Webex Teams could allow an authenticated, remote attacker to conduct cross-site scripting attacks. The vulnerability is due to improper validation of usernames. An attacker could exploit this vulnerability by creating an account that contains malicious HTML or script content and joining a space using the malicious account name. A successful exploit could allow the attacker to conduct cross-site scripting attacks and potentially gain access to sensitive browser-based information.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

References

▼	URL	Tags
	https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-teams-xss-zLW9tD3

Impacted products

	Vendor	Product	Version
	Cisco	Cisco Webex Teams	Version: N/A

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2020-26067",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-18T17:21:04.083089Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-26T14:41:03.582Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Cisco Webex Teams",
          "vendor": "Cisco",
          "versions": [
            {
              "status": "affected",
              "version": "N/A"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability in the web-based interface of Cisco\u0026nbsp;Webex Teams could allow an authenticated, remote attacker to conduct cross-site scripting attacks.\r\nThe vulnerability is due to improper validation of usernames. An attacker could exploit this vulnerability by creating an account that contains malicious HTML or script content and joining a space using the malicious account name. A successful exploit could allow the attacker to conduct cross-site scripting attacks and potentially gain access to sensitive browser-based information.Cisco\u0026nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "The Cisco\u00a0Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/RL:X/RC:X/E:X",
            "version": "3.1"
          },
          "format": "cvssV3_1"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-80",
              "description": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
              "lang": "en",
              "type": "cwe"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-18T16:10:34.462Z",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "name": "cisco-sa-webex-teams-xss-zLW9tD3",
          "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-teams-xss-zLW9tD3"
        }
      ],
      "source": {
        "advisory": "cisco-sa-webex-teams-xss-zLW9tD3",
        "defects": [
          "CSCvv40214"
        ],
        "discovery": "EXTERNAL"
      },
      "title": "Cisco Webex Teams Web Interface Cross-Site Scripting Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2020-26067",
    "datePublished": "2024-11-18T16:10:24.951Z",
    "dateReserved": "2020-09-24T00:00:00.000Z",
    "dateUpdated": "2024-11-26T14:41:03.582Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted