Vulnerability testing specialists report the presence of a critical security flaw in some Cisco products, including Webex, the popular video conferencing platform. If exploited, the vulnerability could allow a remote hacker to execute commands on the target system.
The vulnerability was detected in the Webex Video Mash web management interface, a feature that allows audio and video improving during a videoconference. In the report, the researchers mention that exploiting this flaw allows arbitrary command execution on the underlying Linux system with root user privileges.
The report indicates that the flaw can be exploited remotely; however, vulnerability testing experts mention that threat actors exploiting this flaw must first be authenticated on the system. Besides, before carrying out the attack they would require logging in to the web interface of the affected system and send requests specifically designed for exploitation.
The flaw exists because the Webex Video Mash web interface does not correctly validate requests sent by the attacker, which ultimately allows arbitrary commands execution. The vulnerability affects all versions of this software prior to 2019.03.19.1956m. In addition, the flaw received a score of 7.2/10 on the Common Vulnerability Scoring System (CVSS) scale, so it is considered a high severity flaw.
The main risk that exploiting this flaw would bring is the possibility of launching cross-site request forgery (XSRF) attacks, vulnerability testing experts mention. It should be noted that these attacks also depend on the launch of a social engineering campaign to trick victims into having them visit websites operated by hackers and designed to send forged requests.
The flaw was discovered by vulnerability testing specialist Mehmet’nde ..
Support the originator by clicking the read the rest link below.
