CVE-2021-1221 - OpenCVE

A vulnerability in the user interface of Cisco Webex Meetings and Cisco Webex Meetings Server Software could allow an authenticated, remote attacker to inject a hyperlink into a meeting invitation email. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by entering a URL into a field in the user interface. A successful exploit could allow the attacker to generate a Webex Meetings invitation email that contains a link to a destination of their choosing. Because this email is sent from a trusted source, the recipient may be more likely to click the link.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Cisco	Webex Meetings Webex Meetings Server

Configuration 1 [-]

OR	cpe:2.3:a:cisco:webex_meetings::::::::
	cpe:2.3:a:cisco:webex_meetings_server::::::::
	cpe:2.3:a:cisco:webex_meetings_server:3.0:-::::::
	cpe:2.3:a:cisco:webex_meetings_server:3.0:maintenance_release3_security_patch4::::::
	cpe:2.3:a:cisco:webex_meetings_server:4.0:-::::::
	cpe:2.3:a:cisco:webex_meetings_server:4.0:maintenance_release3_security_patch3::::::

References

Link	Resource
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wbx-linkinj-WWZpVqu9	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: cisco

Published: 2021-02-03T00:00:00

Updated: 2021-02-04T16:35:44

Reserved: 2020-11-13T00:00:00

Link: CVE-2021-1221

JSON object: View

NVD Information

Status : Modified

Published: 2021-02-04T17:15:14.560

Modified: 2023-11-07T03:27:44.347

Link: CVE-2021-1221

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "Cisco WebEx Meetings Server ", "vendor": "Cisco", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2021-02-03T00:00:00", "descriptions": [{"lang": "en", "value": "A vulnerability in the user interface of Cisco Webex Meetings and Cisco Webex Meetings Server Software could allow an authenticated, remote attacker to inject a hyperlink into a meeting invitation email. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by entering a URL into a field in the user interface. A successful exploit could allow the attacker to generate a Webex Meetings invitation email that contains a link to a destination of their choosing. Because this email is sent from a trusted source, the recipient may be more likely to click the link."}], "exploits": [{"lang": "en", "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. "}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-02-04T16:35:44", "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco"}, "references": [{"name": "20210203 Cisco Webex Meetings and Cisco Webex Meetings Server Software Hyperlink Injection Vulnerability", "tags": ["vendor-advisory", "x_refsource_CISCO"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wbx-linkinj-WWZpVqu9"}], "source": {"advisory": "cisco-sa-wbx-linkinj-WWZpVqu9", "defect": [["CSCvw13888", "CSCvw13891"]], "discovery": "INTERNAL"}, "title": "Cisco Webex Meetings and Cisco Webex Meetings Server Software Hyperlink Injection Vulnerability", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@cisco.com", "DATE_PUBLIC": "2021-02-03T16:00:00", "ID": "CVE-2021-1221", "STATE": "PUBLIC", "TITLE": "Cisco Webex Meetings and Cisco Webex Meetings Server Software Hyperlink Injection Vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Cisco WebEx Meetings Server ", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "Cisco"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability in the user interface of Cisco Webex Meetings and Cisco Webex Meetings Server Software could allow an authenticated, remote attacker to inject a hyperlink into a meeting invitation email. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by entering a URL into a field in the user interface. A successful exploit could allow the attacker to generate a Webex Meetings invitation email that contains a link to a destination of their choosing. Because this email is sent from a trusted source, the recipient may be more likely to click the link."}]}, "exploit": [{"lang": "en", "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. "}], "impact": {"cvss": {"baseScore": "4.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N ", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-20"}]}]}, "references": {"reference_data": [{"name": "20210203 Cisco Webex Meetings and Cisco Webex Meetings Server Software Hyperlink Injection Vulnerability", "refsource": "CISCO", "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wbx-linkinj-WWZpVqu9"}]}, "source": {"advisory": "cisco-sa-wbx-linkinj-WWZpVqu9", "defect": [["CSCvw13888", "CSCvw13891"]], "discovery": "INTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "assignerShortName": "cisco", "cveId": "CVE-2021-1221", "datePublished": "2021-02-03T00:00:00", "dateReserved": "2020-11-13T00:00:00", "dateUpdated": "2021-02-04T16:35:44", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cisco:webex_meetings:*:*:*:*:*:*:*:*", "matchCriteriaId": "264B9E30-8AB4-454F-BF92-018FF6719BF8", "versionEndExcluding": "41.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:webex_meetings_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "DE22BE9B-374E-43DC-BA91-E3B9699A4C7C", "versionEndExcluding": "3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:webex_meetings_server:3.0:-:*:*:*:*:*:*", "matchCriteriaId": "61D1081F-87E8-4E8B-BEBD-0F239E745586", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:webex_meetings_server:3.0:maintenance_release3_security_patch4:*:*:*:*:*:*", "matchCriteriaId": "D36FE453-C43F-448B-8A59-668DE95468C0", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:webex_meetings_server:4.0:-:*:*:*:*:*:*", "matchCriteriaId": "4D6CF856-093A-4E89-A71D-50A2887C265B", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:webex_meetings_server:4.0:maintenance_release3_security_patch3:*:*:*:*:*:*", "matchCriteriaId": "EA561408-D53D-43B9-A464-A413EC2E083E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the user interface of Cisco Webex Meetings and Cisco Webex Meetings Server Software could allow an authenticated, remote attacker to inject a hyperlink into a meeting invitation email. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by entering a URL into a field in the user interface. A successful exploit could allow the attacker to generate a Webex Meetings invitation email that contains a link to a destination of their choosing. Because this email is sent from a trusted source, the recipient may be more likely to click the link."}, {"lang": "es", "value": "Una vulnerabilidad en la interfaz de usuario de Cisco Webex Meetings y el software Cisco Webex Meetings Server, podr\u00eda permitir a un atacante autenticado remoto inyectar un hiperv\u00ednculo en un correo electr\u00f3nico de invitaci\u00f3n para una reuni\u00f3n. La vulnerabilidad es debido a una comprobaci\u00f3n insuficiente de la entrada. Un atacante podr\u00eda explotar esta vulnerabilidad al introducir una URL en un campo en la interfaz de usuario. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir al atacante generar un correo electr\u00f3nico de invitaci\u00f3n de Webex Meetings que contenga un enlace a un destino de su elecci\u00f3n. Debido a que este correo electr\u00f3nico se env\u00eda desde una fuente confiable, es m\u00e1s probable que el destinatario haga clic en el enlace"}], "id": "CVE-2021-1221", "lastModified": "2023-11-07T03:27:44.347", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 1.4, "source": "ykramarz@cisco.com", "type": "Secondary"}]}, "published": "2021-02-04T17:15:14.560", "references": [{"source": "ykramarz@cisco.com", "tags": ["Vendor Advisory"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wbx-linkinj-WWZpVqu9"}], "sourceIdentifier": "ykramarz@cisco.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "ykramarz@cisco.com", "type": "Secondary"}]}