CVE-2021-34743

A vulnerability in the application integration feature of Cisco Webex Software could allow an unauthenticated, remote attacker to authorize an external application to integrate with and access a user's account without that user's express consent. This vulnerability is due to improper validation of cross-site request forgery (CSRF) tokens. An attacker could exploit this vulnerability by convincing a targeted user who is currently authenticated to Cisco Webex Software to follow a link designed to pass malicious input to the Cisco Webex Software application authorization interface. A successful exploit could allow the attacker to cause Cisco Webex Software to authorize an application on the user's behalf without the express consent of the user, possibly allowing external applications to read data from that user's profile.

CVSS v3 7.1 HIGH
CVSS v2.0 5.8 MEDIUM

7.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

5.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:N

Exploitability : 8.6 / Impact : 4.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-2FmKd7T	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:cisco:webex_meetings:-:*:*:*:*:*:*:*

History

26 Oct 2021, 02:20

Type	Values Removed	Values Added
CPE		cpe:2.3:a:cisco:webex_meetings:-:::::::*
CWE		CWE-352
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 5.8 v3 : 7.1
References	~~(CISCO) https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-2FmKd7T -~~	(CISCO) https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-2FmKd7T - Vendor Advisory

21 Oct 2021, 03:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2021-10-21 03:15

Updated : 2023-12-10 14:09

NVD link : CVE-2021-34743

Mitre link : CVE-2021-34743

CVE.ORG link : CVE-2021-34743

JSON object : View

Products Affected

cisco

webex_meetings

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2021-34743", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 4.2, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "ykramarz@cisco.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2021-10-21T03:15:06.987", "references": [{"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-2FmKd7T", "tags": ["Vendor Advisory"], "source": "ykramarz@cisco.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-352"}]}, {"type": "Secondary", "source": "ykramarz@cisco.com", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the application integration feature of Cisco Webex Software could allow an unauthenticated, remote attacker to authorize an external application to integrate with and access a user's account without that user's express consent. This vulnerability is due to improper validation of cross-site request forgery (CSRF) tokens. An attacker could exploit this vulnerability by convincing a targeted user who is currently authenticated to Cisco Webex Software to follow a link designed to pass malicious input to the Cisco Webex Software application authorization interface. A successful exploit could allow the attacker to cause Cisco Webex Software to authorize an application on the user's behalf without the express consent of the user, possibly allowing external applications to read data from that user's profile."}, {"lang": "es", "value": "Una vulnerabilidad en la funcionalidad application integration de Cisco Webex Software podr\u00eda permitir a un atacante remoto no autenticado autorizar a una aplicaci\u00f3n externa a integrarse y acceder a la cuenta de un usuario sin el consentimiento expreso de \u00e9ste. Esta vulnerabilidad es debido a una comprobaci\u00f3n inapropiada los tokens de tipo cross-site request forgery (CSRF). Un atacante podr\u00eda explotar esta vulnerabilidad al convencer a un usuario objetivo que est\u00e9 autenticado en el software Cisco Webex para que siga un enlace dise\u00f1ado para pasar una entrada maliciosa a la interfaz de autorizaci\u00f3n de la aplicaci\u00f3n del software Cisco Webex. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir al atacante causar que Cisco Webex Software autorice una aplicaci\u00f3n en nombre del usuario sin el consentimiento expreso de \u00e9ste, permitiendo posiblemente que aplicaciones externas lean datos del perfil de ese usuario"}], "lastModified": "2023-11-07T03:36:16.843", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cisco:webex_meetings:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "81774C03-0884-44C6-80EF-DC882BF44C84"}], "operator": "OR"}]}], "sourceIdentifier": "ykramarz@cisco.com"}