image
Cisco Systems has fixed a high-severity vulnerability in its popular Webex video conferencing platform, which could let strangers barge in on password-protected meetings – no authentication necessary. A remote attacker would not need to be authenticated to exploit the flaw, according to Cisco. All an attacker would need is the meeting ID and a Webex mobile application for either iOS or Android. After the attackers input the meeting ID into their mobile Webex application, the browser then requests to launch the device’s Webex mobile application, allowing them to enter the meeting – sans a password. “The vulnerability is due to unintended meeting information exposure in a specific meeting join flow for mobile applications,” said Cisco in a Friday advisory. “An unauthorized attendee could exploit this vulnerability by accessing a known meeting ID or meeting URL from the mobile device’s web browser.” One caveat to the attack is that unauthorized attendees would be visible in the attendee list of the meeting as a mobile attendee – meaning their presence could be detected by others in the meeting. However, if left undetected, an attacker would be able to eavesdrop on potentially secretive or critical business meeting details. Affected are Cisco Webex Meetings Suite sites and Cisco Webex Meetings Online sites for versions earlier than 39.11.5 (for the former) and 40.1.3 (for the latter). Cisco fixed this vulnerability in versions 39.11.5 and later and 40.1.3 and later for Cisco…

Source