Cisco has patched four security holes in its WebEx software
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.
January 14, 2015
Cisco said earlier today that it has patched no less than 4 security bugs in its WebEx software that allowed hackers to gain complete access to video conferences and also acquire other admin functions as well.
Cisco's WebEx video communications platform contained a cross site request forgery in versions 1.5 and below.
Cisco placed a moderate severity rating on the security flaw (CVE-2014-8031). "A vulnerability in the web framework code of Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to perform a cross-site request forgery attack," Cisco wrote in its security advisory this morning.
"The vulnerability is due to insufficient CSRF protections. An attacker could exploit this security vulnerability by convincing users of the affected systems to follow a malicious link or visit an attacker-controlled website," the advisory warned.
An additional 3 security flaws meant that attackers could launch cross-site scripting attacks (CVE-2014-8030), generate a users' encrypted password (CVE-2014-8032) and then exploit an exposed API to become an administrator (CVE-2014-8033).
In May 2014, Cisco patched a handful of buffer overflow holes in its WebEx product line that led to remote code execution.
Then in November, the company made available additional security patches addressing some wobbly features and enforced stricter controls including that all meetings must have passwords at all times.
Users should be extremely cautious when opening links related to WebEx and update to a non-vulnerable version as soon as possible, Cisco warns.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!