CVE-2020-26068

EPSS 0.18%
Published 18.11.2020 18:15:11
Last modified 21.11.2024 05:19:09
Source psirt@cisco.com
Teams watchlist Login
Open Login

A vulnerability in the xAPI service of Cisco Telepresence CE Software and Cisco RoomOS Software could allow an authenticated, remote attacker to generate an access token for an affected device. The vulnerability is due to insufficient access authorization. An attacker could exploit this vulnerability by using the xAPI service to generate a specific token. A successful exploit could allow the attacker to use the generated token to enable experimental features on the device that should not be available to users.

Affected products Warnungen 0 Metrics 4 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Cisco ≫ Roomos Version-

Cisco ≫ Telepresence Collaboration Endpoint Version >= 9.10.0 < 9.10.3

Cisco ≫ Telepresence Collaboration Endpoint Version >= 9.12.0 < 9.12.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.18%	0.368

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.5	1.2	5.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
nvd@nist.gov	5.5	8	4.9	AV:N/AC:L/Au:S/C:P/I:P/A:N
psirt@cisco.com	5.5	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

CWE-639 Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-tp-uathracc-jWNESUfM

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2020-26068

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-26068

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-26068

EUVD