Cisco Webex Training Center Session Password and Access Code Disclosure Vulnerability

2013-12-13T19:01:01
ID CISCO-SA-20131213-CVE-2013-6709
Type cisco
Reporter Cisco
Modified 2013-12-13T19:00:56

Description

A vulnerability in the registration pages of Cisco WebEx Training Center could allow an unauthenticated, remote attacker to obtain the password and access code for a paid training without paying or registering for the training.

The vulnerability is due to disclosure of the training session information URL before the registration and payment are complete. An attacker could exploit this vulnerability by gathering the training session access code and password from the disclosed URL and use the information to join the audio conference. This vulnerability will not allow an attacker to join the web conference, only the audio conference.

Cisco has confirmed the vulnerability in a security notice; however, software updates are not available.

Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.