Total
31 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-6794 | 1 Cisco | 1 Meeting Server | 2024-11-21 | 7.2 HIGH | 6.7 MEDIUM |
| A vulnerability in the CLI command-parsing code of Cisco Meeting Server could allow an authenticated, local attacker to perform command injection and escalate their privileges to root. The attacker must first authenticate to the application with valid administrator credentials. The vulnerability is due to insufficient validation of user-supplied input at the CLI for certain commands. An attacker could exploit this vulnerability by authenticating to the affected application and submitting a crafted CLI command for execution at the Cisco Meeting Server CLI. An exploit could allow the attacker to perform command injection and escalate their privilege level to root. Vulnerable Products: This vulnerability exists in Cisco Meeting Server software versions prior to and including 2.0, 2.1, and 2.2. Cisco Bug IDs: CSCvf53830. | |||||
| CVE-2017-6763 | 1 Cisco | 1 Meeting Server | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability in the implementation of the H.264 protocol in Cisco Meeting Server (CMS) 2.1.4 could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected system. The vulnerability exists because the affected application does not properly validate Fragmentation Unit (FU-A) protocol packets. An attacker could exploit this vulnerability by sending a crafted H.264 FU-A packet through the affected application. A successful exploit could allow the attacker to cause a DoS condition on the affected system due to an unexpected restart of the CMS media process on the system. Although the CMS platform continues to operate and only the single, affected CMS media process is restarted, a brief interruption of media traffic for certain users could occur. Cisco Bug IDs: CSCve10131. | |||||
| CVE-2017-3837 | 1 Cisco | 1 Meeting Server | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
| An HTTP Packet Processing vulnerability in the Web Bridge interface of the Cisco Meeting Server (CMS), formerly Acano Conferencing Server, could allow an authenticated, remote attacker to retrieve memory contents, which could lead to the disclosure of confidential information. In addition, the attacker could potentially cause the application to crash unexpectedly, resulting in a denial of service (DoS) condition. The attacker would need to be authenticated and have a valid session with the Web Bridge. Affected Products: This vulnerability affects Cisco Meeting Server software releases prior to 2.1.2. This product was previously known as Acano Conferencing Server. More Information: CSCvc89551. Known Affected Releases: 2.0 2.0.7 2.1. Known Fixed Releases: 2.1.2. | |||||
| CVE-2017-3830 | 1 Cisco | 1 Meeting Server | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability in an internal API of the Cisco Meeting Server (CMS) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on the affected appliance. More Information: CSCvc89678. Known Affected Releases: 2.1. Known Fixed Releases: 2.1.2. | |||||
| CVE-2017-12362 | 1 Cisco | 1 Meeting Server | 2024-11-21 | 7.8 HIGH | 6.5 MEDIUM |
| A vulnerability in Cisco Meeting Server versions prior to 2.2.2 could allow an authenticated, remote attacker to cause the system to reload, resulting in a denial of service (DoS) condition. The vulnerability is due to video calls being made on systems with a particular configuration. An attacker could exploit this by knowing a valid URI that directs to a Cisco Meeting Server. An attacker could then make a video call and cause the system to reload. Cisco Bug IDs: CSCve65931. | |||||
| CVE-2017-12311 | 1 Cisco | 1 Meeting Server | 2024-11-21 | 5.0 MEDIUM | 5.8 MEDIUM |
| A vulnerability in the H.264 decoder function of Cisco Meeting Server could allow an unauthenticated, remote attacker to cause a Cisco Meeting Server media process to restart unexpectedly when it receives an illegal H.264 frame. The vulnerability is triggered by an H.264 frame that has an invalid picture parameter set (PPS) value. An attacker could exploit this vulnerability by sending a malformed H.264 frame to the targeted device. An exploit could allow the attacker to cause a denial of service (DoS) condition because the media process could restart. The media session should be re-established within a few seconds, during which there could be a brief interruption in service. Cisco Bug IDs: CSCvg12559. | |||||
| CVE-2017-12264 | 1 Cisco | 1 Meeting Server | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability in the Web Admin Interface of Cisco Meeting Server could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to insufficient bound checks performed by the affected software. An attacker could exploit this vulnerability by sending a malicious HTTP packet to the affected system. A successful exploit could allow the attacker to cause a reload of the Web Admin Server. Cisco Bug IDs: CSCve89149. | |||||
| CVE-2017-12249 | 1 Cisco | 1 Meeting Server | 2024-11-21 | 9.0 HIGH | 9.1 CRITICAL |
| A vulnerability in the Traversal Using Relay NAT (TURN) server included with Cisco Meeting Server (CMS) could allow an authenticated, remote attacker to gain unauthenticated or unauthorized access to components of or sensitive information in an affected system. The vulnerability is due to an incorrect default configuration of the TURN server, which could expose internal interfaces and ports on the external interface of an affected system. An attacker could exploit this vulnerability by using a TURN server to perform an unauthorized connection to a Call Bridge, a Web Bridge, or a database cluster in an affected system, depending on the deployment model and CMS services in use. A successful exploit could allow the attacker to gain unauthenticated access to a Call Bridge or database cluster in an affected system or gain unauthorized access to sensitive meeting information in an affected system. To exploit this vulnerability, the attacker must have valid credentials for the TURN server of the affected system. This vulnerability affects Cisco Meeting Server (CMS) deployments that are running a CMS Software release prior to Release 2.0.16, 2.1.11, or 2.2.6. Cisco Bug IDs: CSCvf51127. | |||||
| CVE-2017-12224 | 1 Cisco | 1 Meeting Server | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the ability for guest users to join meetings via a hyperlink with Cisco Meeting Server could allow an authenticated, remote attacker to enter a meeting with a hyperlink URL, even though access should be denied. The vulnerability is due to the incorrect implementation of the configuration setting Guest access via hyperlinks, which should allow the administrative user to prevent guest users from using hyperlinks to connect to meetings. An attacker could exploit this vulnerability by using a crafted hyperlink to connect to a meeting. An exploit could allow the attacker to connect directly to the meeting with a hyperlink, even though access should be denied. The attacker would still require a valid hyperlink and encoded secret identifier to be connected. Cisco Bug IDs: CSCve20873. | |||||
| CVE-2016-6448 | 1 Cisco | 1 Meeting Server | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability in the Session Description Protocol (SDP) parser of Cisco Meeting Server could allow an unauthenticated, remote attacker to execute arbitrary code on an affected system. This vulnerability affects the following products: Cisco Meeting Server releases prior to Release 2.0.3, Acano Server releases 1.9.x prior to Release 1.9.5, Acano Server releases 1.8.x prior to Release 1.8.17. More Information: CSCva76004. Known Affected Releases: 1.8.x 1.92.0. | |||||
| CVE-2016-6447 | 1 Cisco | 2 Meeting App, Meeting Server | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability in Cisco Meeting Server and Meeting App could allow an unauthenticated, remote attacker to execute arbitrary code on an affected system. This vulnerability affects the following products: Cisco Meeting Server releases prior to 2.0.1, Acano Server releases prior to 1.8.16 and prior to 1.9.3, Cisco Meeting App releases prior to 1.9.8, Acano Meeting Apps releases prior to 1.8.35. More Information: CSCva75942 CSCvb67878. Known Affected Releases: 1.81.92.0. | |||||
| CVE-2016-6446 | 1 Cisco | 1 Meeting Server | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability in Web Bridge for Cisco Meeting Server could allow an unauthenticated, remote attacker to retrieve memory from a connected server. More Information: CSCvb03308. Known Affected Releases: 1.8, 1.9, 2.0. | |||||
| CVE-2016-6445 | 1 Cisco | 1 Meeting Server | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| A vulnerability in the Extensible Messaging and Presence Protocol (XMPP) service of the Cisco Meeting Server (CMS) before 2.0.6 and Acano Server before 1.8.18 and 1.9.x before 1.9.6 could allow an unauthenticated, remote attacker to masquerade as a legitimate user. This vulnerability is due to the XMPP service incorrectly processing a deprecated authentication scheme. A successful exploit could allow an attacker to access the system as another user. | |||||
| CVE-2016-6444 | 1 Cisco | 1 Meeting Server | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability in Cisco Meeting Server could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against a Web Bridge user. More Information: CSCvb03308. Known Affected Releases: 1.8, 1.9, 2.0. | |||||
| CVE-2016-1451 | 1 Cisco | 1 Meeting Server | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the web-based management interface in Cisco Meeting Server (formerly Acano Conferencing Server) 1.7 through 1.9 allows remote attackers to inject arbitrary web script or HTML via crafted parameters, aka Bug ID CSCva19922. | |||||
| CVE-2023-20255 | 1 Cisco | 1 Meeting Server | 2024-02-05 | N/A | 5.3 MEDIUM |
| A vulnerability in an API of the Web Bridge feature of Cisco Meeting Server could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. This vulnerability is due to insufficient validation of HTTP requests. An attacker could exploit this vulnerability by sending crafted HTTP packets to an affected device. A successful exploit could allow the attacker to cause a partial availability condition, which could cause ongoing video calls to be dropped due to the invalid packets reaching the Web Bridge. | |||||
| CVE-2021-40122 | 1 Cisco | 1 Meeting Server | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability in an API of the Call Bridge feature of Cisco Meeting Server could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. This vulnerability is due to improper handling of large series of message requests. An attacker could exploit this vulnerability by sending a series of messages to the vulnerable API. A successful exploit could allow the attacker to cause the affected device to reload, dropping all ongoing calls and resulting in a DoS condition. | |||||
| CVE-2021-1524 | 1 Cisco | 1 Meeting Server | 2024-02-04 | 4.0 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the API of Cisco Meeting Server could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability exists because requests that are sent to the API are not properly validated. An attacker could exploit this vulnerability by sending a malicious request to the API. A successful exploit could allow the attacker to cause all participants on a call to be disconnected, resulting in a DoS condition. | |||||
| CVE-2020-3197 | 1 Cisco | 1 Meeting Server | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability in the API subsystem of Cisco Meetings App could allow an unauthenticated, remote attacker to retain and reuse the Traversal Using Relay NAT (TURN) server credentials that are configured in an affected system. The vulnerability is due to insufficient protection mechanisms for the TURN server credentials. An attacker could exploit this vulnerability by intercepting the legitimate traffic that is generated by an affected system. An exploit could allow the attacker to obtain the TURN server credentials, which the attacker could use to place audio/video calls and forward packets through the configured TURN server. The attacker would not be able to take control of the TURN server unless the same credentials were used in multiple systems. | |||||
| CVE-2020-3160 | 1 Cisco | 1 Meeting Server | 2024-02-04 | 4.3 MEDIUM | 5.3 MEDIUM |
| A vulnerability in the Extensible Messaging and Presence Protocol (XMPP) feature of Cisco Meeting Server software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition for users of XMPP conferencing applications. Other applications and processes are unaffected. The vulnerability is due to improper input validation of XMPP packets. An attacker could exploit this vulnerability by sending crafted XMPP packets to an affected device. An exploit could allow the attacker to cause process crashes and a DoS condition for XMPP conferencing applications. | |||||