cnvd - cnvd-2021-05521

cnvd-2021-05521

Vulnerability from cnvd

Title: Cisco Webex Teams共享文件操纵漏洞

Description:

Cisco Webex Teams是一款综合通信应用程序，旨在为您提供所有必要的工具和合适的环境以增强团队协作。

Cisco Webex Teams 40.12.0.17293之前版本存在共享文件操纵漏洞。该漏洞源于该软件未能正确处理字符渲染。攻击者可通过在应用程序界面内共享文件利用该漏洞修改共享文件名在界面中的显示方式，从而可进行钓鱼或欺骗攻击。

Severity: 中

Patch Name: Cisco Webex Teams共享文件操纵漏洞的补丁

Patch Description:

Cisco Webex Teams是一款综合通信应用程序，旨在为您提供所有必要的工具和合适的环境以增强团队协作。

Cisco Webex Teams 40.12.0.17293之前版本存在共享文件操纵漏洞。该漏洞源于该软件未能正确处理字符渲染。攻击者可通过在应用程序界面内共享文件利用该漏洞修改共享文件名在界面中的显示方式，从而可进行钓鱼或欺骗攻击。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新：https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-teams-7ZMcXG99

Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-1242

Impacted products

Name
Cisco Webex Teams <40.12.0.17293

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-1242",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-1242"
    }
  },
  "description": "Cisco Webex Teams\u662f\u4e00\u6b3e\u7efc\u5408\u901a\u4fe1\u5e94\u7528\u7a0b\u5e8f\uff0c\u65e8\u5728\u4e3a\u60a8\u63d0\u4f9b\u6240\u6709\u5fc5\u8981\u7684\u5de5\u5177\u548c\u5408\u9002\u7684\u73af\u5883\u4ee5\u589e\u5f3a\u56e2\u961f\u534f\u4f5c\u3002\n\nCisco Webex Teams 40.12.0.17293\u4e4b\u524d\u7248\u672c\u5b58\u5728\u5171\u4eab\u6587\u4ef6\u64cd\u7eb5\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u8be5\u8f6f\u4ef6\u672a\u80fd\u6b63\u786e\u5904\u7406\u5b57\u7b26\u6e32\u67d3\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u5728\u5e94\u7528\u7a0b\u5e8f\u754c\u9762\u5185\u5171\u4eab\u6587\u4ef6\u5229\u7528\u8be5\u6f0f\u6d1e\u4fee\u6539\u5171\u4eab\u6587\u4ef6\u540d\u5728\u754c\u9762\u4e2d\u7684\u663e\u793a\u65b9\u5f0f\uff0c\u4ece\u800c\u53ef\u8fdb\u884c\u9493\u9c7c\u6216\u6b3a\u9a97\u653b\u51fb\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1ahttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-teams-7ZMcXG99",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-05521",
  "openTime": "2021-01-25",
  "patchDescription": "Cisco Webex Teams\u662f\u4e00\u6b3e\u7efc\u5408\u901a\u4fe1\u5e94\u7528\u7a0b\u5e8f\uff0c\u65e8\u5728\u4e3a\u60a8\u63d0\u4f9b\u6240\u6709\u5fc5\u8981\u7684\u5de5\u5177\u548c\u5408\u9002\u7684\u73af\u5883\u4ee5\u589e\u5f3a\u56e2\u961f\u534f\u4f5c\u3002\r\n\r\nCisco Webex Teams 40.12.0.17293\u4e4b\u524d\u7248\u672c\u5b58\u5728\u5171\u4eab\u6587\u4ef6\u64cd\u7eb5\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u8be5\u8f6f\u4ef6\u672a\u80fd\u6b63\u786e\u5904\u7406\u5b57\u7b26\u6e32\u67d3\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u5728\u5e94\u7528\u7a0b\u5e8f\u754c\u9762\u5185\u5171\u4eab\u6587\u4ef6\u5229\u7528\u8be5\u6f0f\u6d1e\u4fee\u6539\u5171\u4eab\u6587\u4ef6\u540d\u5728\u754c\u9762\u4e2d\u7684\u663e\u793a\u65b9\u5f0f\uff0c\u4ece\u800c\u53ef\u8fdb\u884c\u9493\u9c7c\u6216\u6b3a\u9a97\u653b\u51fb\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Cisco Webex Teams\u5171\u4eab\u6587\u4ef6\u64cd\u7eb5\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Cisco Webex Teams \u003c40.12.0.17293"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-1242",
  "serverity": "\u4e2d",
  "submitTime": "2021-01-14",
  "title": "Cisco Webex Teams\u5171\u4eab\u6587\u4ef6\u64cd\u7eb5\u6f0f\u6d1e"
}

CVE-2021-1242 (GCVE-0-2021-1242)

Vulnerability from cvelistv5

Published

2021-01-13 21:17

Modified

2024-11-12 20:47

Severity ?

4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE

CWE-450

Summary

A vulnerability in Cisco Webex Teams could allow an unauthenticated, remote attacker to manipulate file names within the messaging interface. The vulnerability exists because the affected software mishandles character rendering. An attacker could exploit this vulnerability by sharing a file within the application interface. A successful exploit could allow the attacker to modify how the shared file name displays within the interface, which could allow the attacker to conduct phishing or spoofing attacks.

References

▼	URL	Tags
	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-teams-7ZMcXG99	vendor-advisory, x_refsource_CISCO

Impacted products

	Vendor	Product	Version
	Cisco	Cisco Webex Teams	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T16:02:56.315Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "20210113 Cisco Webex Teams Shared File Manipulation Vulnerability",
            "tags": [
              "vendor-advisory",
              "x_refsource_CISCO",
              "x_transferred"
            ],
            "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-teams-7ZMcXG99"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-1242",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-08T20:54:45.764818Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-12T20:47:40.135Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Cisco Webex Teams",
          "vendor": "Cisco",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2021-01-13T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability in Cisco Webex Teams could allow an unauthenticated, remote attacker to manipulate file names within the messaging interface. The vulnerability exists because the affected software mishandles character rendering. An attacker could exploit this vulnerability by sharing a file within the application interface. A successful exploit could allow the attacker to modify how the shared file name displays within the interface, which could allow the attacker to conduct phishing or spoofing attacks."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-450",
              "description": "CWE-450",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-01-13T21:17:28",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "name": "20210113 Cisco Webex Teams Shared File Manipulation Vulnerability",
          "tags": [
            "vendor-advisory",
            "x_refsource_CISCO"
          ],
          "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-teams-7ZMcXG99"
        }
      ],
      "source": {
        "advisory": "cisco-sa-webex-teams-7ZMcXG99",
        "defect": [
          [
            "CSCvv74842"
          ]
        ],
        "discovery": "INTERNAL"
      },
      "title": "Cisco Webex Teams Shared File Manipulation Vulnerability",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@cisco.com",
          "DATE_PUBLIC": "2021-01-13T16:00:00",
          "ID": "CVE-2021-1242",
          "STATE": "PUBLIC",
          "TITLE": "Cisco Webex Teams Shared File Manipulation Vulnerability"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Cisco Webex Teams",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Cisco"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A vulnerability in Cisco Webex Teams could allow an unauthenticated, remote attacker to manipulate file names within the messaging interface. The vulnerability exists because the affected software mishandles character rendering. An attacker could exploit this vulnerability by sharing a file within the application interface. A successful exploit could allow the attacker to modify how the shared file name displays within the interface, which could allow the attacker to conduct phishing or spoofing attacks."
            }
          ]
        },
        "exploit": [
          {
            "lang": "en",
            "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."
          }
        ],
        "impact": {
          "cvss": {
            "baseScore": "4.3",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-450"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "20210113 Cisco Webex Teams Shared File Manipulation Vulnerability",
              "refsource": "CISCO",
              "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-teams-7ZMcXG99"
            }
          ]
        },
        "source": {
          "advisory": "cisco-sa-webex-teams-7ZMcXG99",
          "defect": [
            [
              "CSCvv74842"
            ]
          ],
          "discovery": "INTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2021-1242",
    "datePublished": "2021-01-13T21:17:28.265054Z",
    "dateReserved": "2020-11-13T00:00:00",
    "dateUpdated": "2024-11-12T20:47:40.135Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted