Guest

Preview Tool

Cisco Bug: CSCvu35206 - Cisco Webex Services API Server-Side Request Forgery Vulnerability

Last Modified

Jul 17, 2020

Products (1)

  • Cisco Webex Meetings Online

Known Affected Releases

WBS40.7.0

Description (partial)

CISCO HIGHLY CONFIDENTIAL - CONTROLLED ACCESS

This issue is under review by the Cisco Product Security Incident Response
team (PSIRT).

The defect describes a product security vulnerability.  Its contents must
be protected from unauthorized disclosure, both internal and external to
Cisco.  Do not forward this information to mailing lists or newsgroups.

Documentation writers: it is prohibited to publish this Release-note 
Enclosure (RNE) until the content has been approved by PSIRT.  PSIRT may 
publish a Security Advisory regarding this defect, and the current text of 
this RNE will be replaced with appropriate information.  In the event that 
a Security Advisory is not published, PSIRT will replace this text with an 
appropriate explanation.

More information on PSIRT is available at <http//psirt.cisco.com/>.  
Cisco's public policy on security vulnerability handling can be reviewed at 
<http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html>.
For further information, send a message to psirt@cisco.com.

User: nleali-Date:06/25/2020

Symptom:
An issue in an API of the Cisco Webex infrastructure could allow a malicious user to send arbitrary HTTP requests to other services within the Cisco Webex infrastructure. As a result, a malicious user could potentially access portions of the Cisco Webex infrastructure that should be inaccessible to direct requests.

This issue has been resolved in the Cisco Webex infrastructure.

Conditions:
None.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.