Change the plan for Sat night, hackers. No more biz meetup eavesdrop LOLs

Cisco squashes bugs in WebEx

Cisco has patched four holes in WebEx that allowed attackers to gain access to video conferences and gain other administrative functions.

The popular platform contained a cross site request forgery in versions 1.5 and below.

Cisco slapped a moderate severity rating on the bug (CVE-2014-8031).

"A vulnerability in the web framework code of Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to perform a cross-site request forgery attack," Cisco wrote in an advisory.

"The vulnerability is due to insufficient CSRF protections. An attacker could exploit this vulnerability by convincing the user of the affected system to follow a malicious link or visit an attacker-controlled website."

A further three flaws meant attackers could launch cross-site scripting attacks (CVE-2014-8030), generate a users' encrypted password (CVE-2014-8032), and exploit an exposed API to become an administrator (CVE-2014-8033).

In May, Cisco patched a handful of buffer overflow holes in its WebEx line that led to remote code execution. In November the company flung patches addressing some wobbly features and enforced stricter controls including that all meetings must have passwords.

Users should be cautious when opening links related to WebEx and update to a non-vulnerable version as soon as possible. ®

Sponsored: Becoming a Pragmatic Security Leader

Biting the hand that feeds IT © 1998–2019