A previous patch for Cisco's Jabber chat product did not in fact fix four vulnerabilities – including one remote code execution (RCE) flaw that would allow malicious people to hijack targeted devices by sending a carefully crafted message.
Norwegian infosec biz Watchcom spotted the vulnerabilities, having been asked by a client to verify that a previous patch for CVE-2020-26085 worked as advertised. Instead Watchcom found that the September update didn't fix the underlying problems.
A cross-site scripting (XSS) vuln leading to an RCE, CVE-2020-26085 was rated at 9.9 on the 10-point CVSS v3 scale, falling squarely into the "critical" bracket. It was uncovered by Watchcom in June this year and Cisco issued patches on 2 September that allegedly fixed it, as well as three other vulns.
Referring to the XSS-RCE vuln, Watchcom said in a blog post: "This vulnerability does not require user interaction an ..
Support the originator by clicking the read the rest link below.