ID

VAR-201810-0311


CVE

CVE-2018-0436


TITLE

Cisco Webex Teams  Vulnerability in privilege management in

Trust: 0.8

sources: JVNDB: JVNDB-2018-013277

DESCRIPTION

A vulnerability in Cisco Webex Teams, formerly Cisco Spark, could allow an authenticated, remote attacker to view and modify data for an organization other than their own organization. The vulnerability exists because the affected software performs insufficient checks for associations between user accounts and organization accounts. An attacker who has administrator or compliance officer privileges for one organization account could exploit this vulnerability by using those privileges to view and modify data for another organization account. No customer data was impacted by this vulnerability. Cisco Webex Teams Exists in a permission management vulnerability.Information may be obtained and information may be tampered with. An attacker can exploit this issue to obtain sensitive information, bypass security restrictions and perform unauthorized actions. This may aid in further attacks. This issue is being tracked by Cisco Bug ID CSCvi68464. Versions prior to Cisco Webex Teams 20180417-150803 are vulnerable. The program includes features such as video conferencing, group messaging and file sharing

Trust: 1.98

sources: NVD: CVE-2018-0436 // JVNDB: JVNDB-2018-013277 // BID: 105301 // VULHUB: VHN-118638

AFFECTED PRODUCTS

vendor:ciscomodel:webex teamsscope:ltversion:10.6.0

Trust: 1.0

vendor:シスコシステムズmodel:cisco webex teamsscope:eqversion: -

Trust: 0.8

vendor:ciscomodel:webex teamsscope:eqversion:0

Trust: 0.3

vendor:ciscomodel:webex teamsscope:neversion:20180417-150803

Trust: 0.3

sources: BID: 105301 // JVNDB: JVNDB-2018-013277 // NVD: CVE-2018-0436

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-0436
value: HIGH

Trust: 1.0

NVD: CVE-2018-0436
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201809-256
value: HIGH

Trust: 0.6

VULHUB: VHN-118638
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-0436
severity: MEDIUM
baseScore: 5.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-118638
severity: MEDIUM
baseScore: 5.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-0436
baseSeverity: HIGH
baseScore: 8.7
vectorString: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 2.3
impactScore: 5.8
version: 3.1

Trust: 1.0

NVD: CVE-2018-0436
baseSeverity: HIGH
baseScore: 8.7
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-118638 // JVNDB: JVNDB-2018-013277 // CNNVD: CNNVD-201809-256 // NVD: CVE-2018-0436

PROBLEMTYPE DATA

problemtype:CWE-269

Trust: 1.1

problemtype:CWE-284

Trust: 1.0

problemtype:Improper authority management (CWE-269) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-118638 // JVNDB: JVNDB-2018-013277 // NVD: CVE-2018-0436

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201809-256

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-201809-256

PATCH

title:cisco-sa-20180905-webex-id-modurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-webex-id-mod

Trust: 0.8

title:Cisco Webex Teams Fixes for access control error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=84587

Trust: 0.6

sources: JVNDB: JVNDB-2018-013277 // CNNVD: CNNVD-201809-256

EXTERNAL IDS

db:NVDid:CVE-2018-0436

Trust: 3.6

db:BIDid:105301

Trust: 2.0

db:JVNDBid:JVNDB-2018-013277

Trust: 0.8

db:CNNVDid:CNNVD-201809-256

Trust: 0.7

db:VULHUBid:VHN-118638

Trust: 0.1

sources: VULHUB: VHN-118638 // BID: 105301 // JVNDB: JVNDB-2018-013277 // CNNVD: CNNVD-201809-256 // NVD: CVE-2018-0436

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20180905-webex-id-mod

Trust: 2.0

url:http://www.securityfocus.com/bid/105301

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2018-0436

Trust: 0.8

url:http://www.cisco.com/

Trust: 0.3

sources: VULHUB: VHN-118638 // BID: 105301 // JVNDB: JVNDB-2018-013277 // CNNVD: CNNVD-201809-256 // NVD: CVE-2018-0436

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 105301

SOURCES

db:VULHUBid:VHN-118638
db:BIDid:105301
db:JVNDBid:JVNDB-2018-013277
db:CNNVDid:CNNVD-201809-256
db:NVDid:CVE-2018-0436

LAST UPDATE DATE

2024-08-14T13:55:48.242000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-118638date:2019-10-09T00:00:00
db:BIDid:105301date:2018-09-05T00:00:00
db:JVNDBid:JVNDB-2018-013277date:2024-05-31T06:51:00
db:CNNVDid:CNNVD-201809-256date:2019-10-17T00:00:00
db:NVDid:CVE-2018-0436date:2024-05-23T17:56:44.980

SOURCES RELEASE DATE

db:VULHUBid:VHN-118638date:2018-10-05T00:00:00
db:BIDid:105301date:2018-09-05T00:00:00
db:JVNDBid:JVNDB-2018-013277date:2019-02-18T00:00:00
db:CNNVDid:CNNVD-201809-256date:2018-09-06T00:00:00
db:NVDid:CVE-2018-0436date:2018-10-05T14:29:01.933