Cisco WebEx Meeting Meetinginfo.do Information Disclosure Vulnerability
1 Apr. 2016
meetinginfo.do in Cisco WebEx Event Center, WebEx Meeting Center, WebEx Sales Center, WebEx Training Center, WebEx Meetings Server 1.5(.1.131) and earlier, and WebEx Business Suite (WBS) 27 before 18.104.22.168, 28 before 22.214.171.124, and 29 before 126.96.36.199 allows remote attackers to obtain sensitive meeting information by leveraging knowledge of a meeting identifier
* Cisco WebEx Event Center Original Release Base
* Cisco WebEx Meeting Center Original Release Base
* Cisco WebEx Sales Center Original Release Base
* Cisco WebEx Training Center Original Release Base
* Cisco WebEx Meetings Server 1.131
* Cisco WebEx Business Suite (WBS) 188.8.131.52
A vulnerability in Cisco WebEx Business Suite (WBS) could allow an unauthenticated, remote attacker to use enumerated meeting identifiers to obtain confidential information.
The vulnerability is due to meeting identifiers that are not randomly generated and may be enumerated on an affected device. An unauthenticated, remote attacker could exploit this vulnerability to access sensitive information, such as the meeting title, meeting organizer, time, date, and duration of the meeting. If the meeting organizer does not require a password to attend the meeting or event, the meeting number is also returned and may be used to attend a meeting that is in progress. Even if a password is configured for a meeting, it is not required for participation on the audio bridge. A successful exploit could be used to conduct further attacks.