Cisco has patched a high risk vulnerability CVE-2020-3142 in Cisco Webex Meetings Suite sites and Cisco Webex Meetings Online sites. An unauthenticated actor could join a password-protected meeting without inputting the meeting password.
In order for an attacker to exploit the “unauthenticated meeting join” vulnerability CVE-2020-3142, Cisco said remote connection attempts must be initiated from a Webex mobile app for iOS or Android.
“The vulnerability is due to unintended meeting information exposure in a specific meeting join flow for mobile applications. An unauthorized attendee could exploit this vulnerability by accessing a known meeting ID or meeting URL from the mobile device’s web browser. The browser will then request to launch the device’s Webex mobile application,” Cisco warned in the advisory posted on January 24.
Once a successful exploit is achieved, an unauthorized attendee could then join the password-protected meeting. To add, the same unauthorized attendee will be visible as a mobile attendee in the meeting attendee list.
Cisco rates the vulnerability high severity and a CVSS base score of 7.5.
Cisco added that no user action is required since the company has already applied updates that address this vulnerability.