CVE-2020-3143

EPSS 2.28%
Published 23.09.2020 01:15:15
Last modified 21.11.2024 05:30:24
Source psirt@cisco.com
Teams watchlist Login
Open Login

A vulnerability in the video endpoint API (xAPI) of Cisco TelePresence Collaboration Endpoint (CE) Software, Cisco TelePresence Codec (TC) Software, and Cisco RoomOS Software could allow an authenticated, remote attacker to conduct directory traversal attacks on an affected device. The vulnerability is due to insufficient validation of user-supplied input to the xAPI of the affected software. An attacker could exploit this vulnerability by sending a crafted request to the xAPI. A successful exploit could allow the attacker to read and write arbitrary files in the system. To exploit this vulnerability, an attacker would need either an In-Room Control or administrator account.

Affected products Warnungen 0 Metrics 4 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Cisco ≫ Ex60 Firmware Version-

Cisco ≫ Ex60 Version-

Cisco ≫ Ex90 Firmware Version-

Cisco ≫ Ex90 Version-

Cisco ≫ Sx10 Firmware Version-

Cisco ≫ Sx10 Version-

Cisco ≫ Sx20 Firmware Version-

Cisco ≫ Sx20 Version-

Cisco ≫ Sx80 Firmware Version-

Cisco ≫ Sx80 Version-

Cisco ≫ Telepresence Codec C40 Firmware Version-

Cisco ≫ Telepresence Codec C40 Version-

Cisco ≫ Telepresence Codec C60 Firmware Version-

Cisco ≫ Telepresence Codec C60 Version-

Cisco ≫ Telepresence Codec C90 Firmware Version-

Cisco ≫ Telepresence Codec C90 Version-

Cisco ≫ Telepresence Mx200 Firmware Version-

Cisco ≫ Telepresence Mx200 Version-

Cisco ≫ Telepresence Mx300 Firmware Version-

Cisco ≫ Telepresence Mx300 Version-

Cisco ≫ Telepresence Mx700 Firmware Version-

Cisco ≫ Telepresence Mx700 Version-

Cisco ≫ Telepresence Mx800 Firmware Version-

Cisco ≫ Telepresence Mx800 Version-

Cisco ≫ Webex Board 55 Firmware Version-

Cisco ≫ Webex Board 55 Version-

Cisco ≫ Webex Board 55s Firmware Version-

Cisco ≫ Webex Board 55s Version-

Cisco ≫ Webex Board 70 Firmware Version-

Cisco ≫ Webex Board 70 Version-

Cisco ≫ Webex Board 70s Firmware Version-

Cisco ≫ Webex Board 70s Version-

Cisco ≫ Webex Board 85s Firmware Version-

Cisco ≫ Webex Board 85s Version-

Cisco ≫ Webex Dx70 Firmware Version-

Cisco ≫ Webex Dx70 Version-

Cisco ≫ Webex Dx80 Firmware Version-

Cisco ≫ Webex Dx80 Version-

Cisco ≫ Webex Room 55 Firmware Version-

Cisco ≫ Webex Room 55 Version-

Cisco ≫ Webex Room 70 Firmware Version-

Cisco ≫ Webex Room 70 Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	2.28%	0.841

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	9	8	10	AV:N/AC:L/Au:S/C:C/I:C/A:C
psirt@cisco.com	8.8	2.8	5.9	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-telepresence-path-tr-wdrnYEZZ

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2020-3143

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-3143

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-3143

EUVD