CVE-2018-0422

CVSS V2 Medium 6.9 CVSS V3 High 7.3
Description
A vulnerability in the folder permissions of Cisco Webex Meetings client for Windows could allow an authenticated, local attacker to modify locally stored files and execute code on a targeted device with the privilege level of the user. The vulnerability is due to folder permissions that grant a user the permission to read, write, and execute files in the Webex folders. An attacker could exploit this vulnerability to write malicious files to the Webex client directory, affecting all other users of the targeted device. A successful exploit could allow a user to execute commands with elevated privileges. Attacks on single-user systems are less likely to occur, as the attack must be carried out by the user on the user's own system. Multiuser systems have a higher risk of exploitation because folder permissions have an impact on all users of the device. For an attacker to exploit this vulnerability successfully, a second user must execute the locally installed malicious file to allow remote code execution to occur.
Overview
  • CVE ID
  • CVE-2018-0422
  • Assigner
  • ykramarz@cisco.com
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2018-10-05T14:29:00
  • Last Modified Date
  • 2019-10-03T00:03:26
Weakness Enumerations
CWE URL
CWE-732 http://cwe.mitre.org/data/definitions/732.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
AND
cpe:2.3:a:cisco:webex_meetings_online:*:*:*:*:*:*:*:* 1 OR 1.3.37
cpe:2.3:a:cisco:webex_meetings_online:t31.20:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:cisco:webex_meetings_online:t31.20.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* 0 OR
AND
cpe:2.3:a:cisco:webex_meetings_server:*:*:*:*:*:*:*:* 1 OR 3.0
cpe:2.3:a:cisco:webex_meetings_server:3.0:mr1:*:*:*:*:*:* 1 OR
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* 0 OR
AND
cpe:2.3:a:cisco:webex_business_suite_32:*:*:*:*:*:*:*:* 1 OR 32.15.20
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* 0 OR
AND
cpe:2.3:a:cisco:webex_business_suite_33:*:*:*:*:*:*:*:* 1 OR 33.4
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* 0 OR
AND
cpe:2.3:a:cisco:webex_business_suite_31:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* 0 OR
CVSS Version 2
  • Version
  • 2.0
  • Vector String
  • AV:L/AC:M/Au:N/C:C/I:C/A:C
  • Access Vector
  • LOCAL
  • Access Compatibility
  • MEDIUM
  • Authentication
  • NONE
  • Confidentiality Impact
  • COMPLETE
  • Integrity Impact
  • COMPLETE
  • Availability Impact
  • COMPLETE
  • Base Score
  • 6.9
  • Severity
  • MEDIUM
  • Exploitability Score
  • 3.4
  • Impact Score
  • 10
CVSS Version 3
  • Version
  • 3.0
  • Vector String
  • CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
  • Attack Vector
  • LOCAL
  • Attack Compatibility
  • LOW
  • Privileges Required
  • LOW
  • User Interaction
  • REQUIRED
  • Scope
  • UNCHANGED
  • Confidentiality Impact
  • HIGH
  • Availability Impact
  • HIGH
  • Base Score
  • 7.3
  • Base Severity
  • HIGH
  • Exploitability Score
  • 1.3
  • Impact Score
  • 5.9
References
Reference URL Reference Tags
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-webex-pe Vendor Advisory
http://www.securitytracker.com/id/1041681 Third Party Advisory VDB Entry
http://www.securityfocus.com/bid/105281 Third Party Advisory VDB Entry
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2018-0422
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0422
History
Created Old Value New Value Data Type Notes
2022-05-10 17:30:17 Added to TrackCVE
2022-12-03 12:53:34 psirt@cisco.com ykramarz@cisco.com CVE Assigner updated
2022-12-03 12:53:34 2018-10-05T14:29Z 2018-10-05T14:29:00 CVE Published Date updated
2022-12-03 12:53:34 2019-10-03T00:03:26 CVE Modified Date updated
2022-12-03 12:53:34 Analyzed Vulnerability Status updated