Cisco Webex Meetings Desktop App Information Disclosure Vulnerabilities

Vulnerability

The Cisco Webex Meetings Desktop App, prior to releases 39.5.24, 40.4.6, and 40.6, contains multiple input validation vulnerabilities in its user interface. These flaws, tracked as CVE-2020-3502, occur when the application processes parameters returned from a web site. Improper validation of path parameters allows an attacker who can craft a malicious URL to inject unexpected data into the application's parameter handling logic. The vulnerability does not require any special configuration to be reached, but it does rely on user interaction to trigger the malicious URL.

Exploitation

An attacker must have a valid Webex account and then persuade a victim user to click a crafted URL. The URL is designed to return malicious path parameters to the Webex Meetings Desktop App. Successful exploitation depends on the victim following the link, which may be delivered via email, instant message, or other communication channels. No other authentication or special network position is required beyond the attacker's valid account.

Impact

A successful exploit allows the attacker to obtain restricted information about other Webex users. The impact is primarily confidentiality; the attacker can access data intended to be private within the Webex environment. No file write or remote code execution is described. The attacker does not gain elevated privileges beyond what their own account provides, but they can view information belonging to other users.

Mitigation

Cisco has released software updates to fix these vulnerabilities. The fixed versions are 39.5.24, 40.4.6, and 40.6, and later releases. There are no workarounds available. Users should upgrade to a patched version as soon as possible [1]. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog at the time of publication.