Cisco WebEx Training Center Training Session Number Disclosure Vulnerability

2013-12-13T15:02:22
ID CISCO-SA-20131213-CVE-2013-6972
Type cisco
Reporter Cisco
Modified 2013-12-13T15:02:16

Description

A vulnerability in Cisco WebEx Training Center could allow an unauthenticated, remote attacker to view the session number for trainings that require host approval before the host approves the attacker as an attendee.

The vulnerability is due to inappropriate disclosure of sensitive information in server replies to clients. An attacker could exploit this vulnerability by viewing the source for the vulnerable pages. An attacker with a valid session number can use that number to join the audio portion of a conference even if the host has not approved the attacker as an attendee. The attacker would still require approval to join the web conference.

Cisco has confirmed the vulnerability in a security notice; however, software updates are not available.

Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.