Cisco has addressed a high-severity flaw within the Cisco Webex video conferencing platform that would be exploited by a remote, unauthenticated attacker to join a Webex session without appearing on the participant list.
This vulnerability is because of improper handling of authentication tokens by a vulnerable Webex site. An attacker could exploit this vulnerability by sending crafted requests to a vulnerable Cisco Webex Meetings or Cisco Webex Meetings Server site.
“An unauthorized attendee could exploit this vulnerability by accessing a known meeting ID or meeting URL from the mobile device’s browser. The browser will then request to launch the device’s Webex mobile application,” wrote Cisco in a Friday advisory. Then, the intruder can access the exact meeting through the mobile Webex app, no password is required.
Affected Products
This vulnerability affected all Cisco Webex Meetings sites before November 17, 2020. At the time of publication, this vulnerability…