{ "id": "CVE-2021-34743", "sourceIdentifier": "ykramarz@cisco.com", "published": "2021-10-21T03:15:06.987", "lastModified": "2021-10-26T02:20:23.707", "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "A vulnerability in the application integration feature of Cisco Webex Software could allow an unauthenticated, remote attacker to authorize an external application to integrate with and access a user's account without that user's express consent. This vulnerability is due to improper validation of cross-site request forgery (CSRF) tokens. An attacker could exploit this vulnerability by convincing a targeted user who is currently authenticated to Cisco Webex Software to follow a link designed to pass malicious input to the Cisco Webex Software application authorization interface. A successful exploit could allow the attacker to cause Cisco Webex Software to authorize an application on the user's behalf without the express consent of the user, possibly allowing external applications to read data from that user's profile." }, { "lang": "es", "value": "Una vulnerabilidad en la funcionalidad application integration de Cisco Webex Software podr\u00eda permitir a un atacante remoto no autenticado autorizar a una aplicaci\u00f3n externa a integrarse y acceder a la cuenta de un usuario sin el consentimiento expreso de \u00e9ste. Esta vulnerabilidad es debido a una comprobaci\u00f3n inapropiada los tokens de tipo cross-site request forgery (CSRF). Un atacante podr\u00eda explotar esta vulnerabilidad al convencer a un usuario objetivo que est\u00e9 autenticado en el software Cisco Webex para que siga un enlace dise\u00f1ado para pasar una entrada maliciosa a la interfaz de autorizaci\u00f3n de la aplicaci\u00f3n del software Cisco Webex. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir al atacante causar que Cisco Webex Software autorice una aplicaci\u00f3n en nombre del usuario sin el consentimiento expreso de \u00e9ste, permitiendo posiblemente que aplicaciones externas lean datos del perfil de ese usuario" } ], "metrics": { "cvssMetricV31": [ { "source": "nvd@nist.gov", "type": "Primary", "cvssData": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH" }, "exploitabilityScore": 2.8, "impactScore": 4.2 } ], "cvssMetricV30": [ { "source": "ykramarz@cisco.com", "type": "Secondary", "cvssData": { "version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM" }, "exploitabilityScore": 2.8, "impactScore": 1.4 } ], "cvssMetricV2": [ { "source": "nvd@nist.gov", "type": "Primary", "cvssData": { "version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 5.8 }, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.6, "impactScore": 4.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true } ] }, "weaknesses": [ { "source": "nvd@nist.gov", "type": "Primary", "description": [ { "lang": "en", "value": "CWE-352" } ] }, { "source": "ykramarz@cisco.com", "type": "Secondary", "description": [ { "lang": "en", "value": "CWE-352" } ] } ], "configurations": [ { "nodes": [ { "operator": "OR", "negate": false, "cpeMatch": [ { "vulnerable": true, "criteria": "cpe:2.3:a:cisco:webex_meetings:-:*:*:*:*:*:*:*", "matchCriteriaId": "81774C03-0884-44C6-80EF-DC882BF44C84" } ] } ] } ], "references": [ { "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-2FmKd7T", "source": "ykramarz@cisco.com", "tags": [ "Vendor Advisory" ] } ] }