{"containers": {"cna": {"affected": [{"product": "Cisco Webex Meetings Multimedia Viewer", "vendor": "Cisco", "versions": [{"status": "affected", "version": "T39.3"}]}], "credits": [{"lang": "en", "value": "Cisco would like to thank Alexandros Zacharis of European GNSS Agency (GSA) for reporting this vulnerability."}], "datePublic": "2020-04-13T00:00:00", "descriptions": [{"lang": "en", "value": "vulnerability within the Multimedia Viewer feature of Cisco Webex Meetings could allow an authenticated, remote attacker to bypass security protections. The vulnerability is due to missing security warning dialog boxes when a room host views shared multimedia files. An authenticated, remote attacker could exploit this vulnerability by using the host role to share files within the Multimedia sharing feature and convincing a former room host to view that file. A warning dialog normally appears cautioning users before the file is displayed; however, the former host would not see that warning dialog, and any shared multimedia would be rendered within the user's browser. The attacker could leverage this behavior to conduct additional attacks by including malicious files within a targeted room host's browser window."}], "exploits": [{"lang": "en", "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284 Improper Access Control", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-04-13T16:40:12", "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco"}, "references": [{"name": "20200413 Cisco Webex Meetings Multimedia Viewer Vulnerability", "tags": ["vendor-advisory", "x_refsource_CISCO"], "url": "https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs24436"}], "source": {"advisory": "CSCvs24436", "defect": ["CSCvs24436"], "discovery": "EXTERNAL"}, "title": "Cisco Webex Meetings Multimedia Viewer Vulnerability", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@cisco.com", "DATE_PUBLIC": "2020-04-13T16:00:00.000Z", "ID": "CVE-2020-3126", "STATE": "PUBLIC", "TITLE": "Cisco Webex Meetings Multimedia Viewer Vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Cisco Webex Meetings Multimedia Viewer", "version": {"version_data": [{"version_affected": "=", "version_value": "T39.3"}]}}]}, "vendor_name": "Cisco"}]}}, "credit": [{"lang": "eng", "value": "Cisco would like to thank Alexandros Zacharis of European GNSS Agency (GSA) for reporting this vulnerability."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "vulnerability within the Multimedia Viewer feature of Cisco Webex Meetings could allow an authenticated, remote attacker to bypass security protections. The vulnerability is due to missing security warning dialog boxes when a room host views shared multimedia files. An authenticated, remote attacker could exploit this vulnerability by using the host role to share files within the Multimedia sharing feature and convincing a former room host to view that file. A warning dialog normally appears cautioning users before the file is displayed; however, the former host would not see that warning dialog, and any shared multimedia would be rendered within the user's browser. The attacker could leverage this behavior to conduct additional attacks by including malicious files within a targeted room host's browser window."}]}, "exploit": [{"lang": "en", "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."}], "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-284 Improper Access Control"}]}]}, "references": {"reference_data": [{"name": "20200413 Cisco Webex Meetings Multimedia Viewer Vulnerability", "refsource": "CISCO", "url": "https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs24436"}]}, "source": {"advisory": "CSCvs24436", "defect": ["CSCvs24436"], "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T07:24:00.520Z"}, "title": "CVE Program Container", "references": [{"name": "20200413 Cisco Webex Meetings Multimedia Viewer Vulnerability", "tags": ["vendor-advisory", "x_refsource_CISCO", "x_transferred"], "url": "https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs24436"}]}]}, "cveMetadata": {"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "assignerShortName": "cisco", "cveId": "CVE-2020-3126", "datePublished": "2020-04-13T16:40:12.767786Z", "dateReserved": "2019-12-12T00:00:00", "dateUpdated": "2024-09-17T03:18:29.263Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cisco:webex_meetings_server:t39.3:*:*:*:*:*:*:*", "matchCriteriaId": "BBD0A7A6-9172-4090-94F9-B381C2C48DB7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "vulnerability within the Multimedia Viewer feature of Cisco Webex Meetings could allow an authenticated, remote attacker to bypass security protections. The vulnerability is due to missing security warning dialog boxes when a room host views shared multimedia files. An authenticated, remote attacker could exploit this vulnerability by using the host role to share files within the Multimedia sharing feature and convincing a former room host to view that file. A warning dialog normally appears cautioning users before the file is displayed; however, the former host would not see that warning dialog, and any shared multimedia would be rendered within the user's browser. The attacker could leverage this behavior to conduct additional attacks by including malicious files within a targeted room host's browser window."}, {"lang": "es", "value": "Una vulnerabilidad dentro de la funcionalidad Multimedia Viewer de Cisco Webex Meetings, podr\u00eda permitir a un atacante remoto autenticado omitir las protecciones de seguridad. La vulnerabilidad es debido a la falta de cuadros de di\u00e1logo de advertencia de seguridad cuando un host de sala visualiza archivos multimedia compartidos. Un atacante autenticado remoto podr\u00eda explotar esta vulnerabilidad al usar el rol de host para compartir archivos dentro de la funcionalidad Multimedia sharing y convencer a un antiguo host de la sala para que vea ese archivo. Un cuadro de di\u00e1logo de advertencia com\u00fanmente aparece advirtiendo a usuarios antes de que se muestre el archivo; sin embargo, el host anterior no ver\u00eda ese cuadro de di\u00e1logo de advertencia, y cualquier multimedia compartida se representar\u00eda dentro del navegador del usuario. El atacante podr\u00eda aprovechar este comportamiento para llevar a cabo ataques adicionales mediante la inclusi\u00f3n de archivos maliciosos dentro de la ventana del navegador de un host de sala objetivo."}], "id": "CVE-2020-3126", "lastModified": "2020-04-14T17:56:40.223", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.0, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 1.4, "source": "ykramarz@cisco.com", "type": "Secondary"}]}, "published": "2020-04-13T17:15:11.093", "references": [{"source": "ykramarz@cisco.com", "tags": ["Vendor Advisory"], "url": "https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs24436"}], "sourceIdentifier": "ykramarz@cisco.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-284"}], "source": "ykramarz@cisco.com", "type": "Secondary"}]}

{}