NVD Vulnerability Detail

CVE-2018-15442

Summary	A vulnerability in the update service of Cisco Webex Meetings Desktop App for Windows could allow an authenticated, local attacker to execute arbitrary commands as a privileged user. The vulnerability is due to insufficient validation of user-supplied parameters. An attacker could exploit this vulnerability by invoking the update service command with a crafted argument. An exploit could allow the attacker to run arbitrary commands with SYSTEM user privileges. While the CVSS Attack Vector metric denotes the requirement for an attacker to have local access, administrators should be aware that in Active Directory deployments, the vulnerability could be exploited remotely by leveraging the operating system remote management tools.
Publication Date	Oct. 25, 2018, 4:29 a.m.
Registration Date	March 1, 2021, 6:59 p.m.
Last Update	Nov. 21, 2024, 12:50 p.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:cisco:webex_productivity_tools::::::::	32.6.0			33.0.6
cpe:2.3:a:cisco:webex_meetings_desktop::::::windows::*				33.6.4

Related information, measures and tools

No	URL	タグ
1	http://www.securityfocus.com/bid/105734	Third Party Advisory VDB Entry
2	http://www.securityfocus.com/bid/105734	Third Party Advisory VDB Entry
3	http://www.securitytracker.com/id/1041942	Third Party Advisory VDB Entry
4	http://www.securitytracker.com/id/1041942	Third Party Advisory VDB Entry
5	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181024-webex-injection	Vendor Advisory
6	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181024-webex-injection	Vendor Advisory
7	https://www.exploit-db.com/exploits/45695/	Exploit Third Party Advisory VDB Entry
8	https://www.exploit-db.com/exploits/45695/	Exploit Third Party Advisory VDB Entry
9	https://www.exploit-db.com/exploits/45696/	Exploit Third Party Advisory VDB Entry
10	https://www.exploit-db.com/exploits/45696/	Exploit Third Party Advisory VDB Entry

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-78	OSコマンド・インジェクション	https://cwe.mitre.org/data/definitions/78.html

JVN Vulnerability Information

Windows 用 Cisco Webex Meetings Desktop アプリケーションにおける OS コマンドインジェクションの脆弱性

Title	Windows 用 Cisco Webex Meetings Desktop アプリケーションにおける OS コマンドインジェクションの脆弱性
Summary	Windows 用 Cisco Webex Meetings Desktop アプリケーションには、OS コマンドインジェクションの脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Nov. 27, 2018, midnight
Registration Date	March 6, 2019, 4:25 p.m.
Last Update	March 6, 2019, 4:25 p.m.

Affected System

シスコシステムズ

Cisco Webex Meetings Desktop

Cisco WebEx Productivity Tools

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2018-15442	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15442
2	CVE-2018-15442	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15442
National Vulnerability Database (NVD)
3	CVE-2018-15442	https://nvd.nist.gov/vuln/detail/CVE-2018-15442
4	CVE-2018-15442	https://nvd.nist.gov/vuln/detail/CVE-2018-15442

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-78	https://jvndb.jvn.jp/ja/cwe/CWE-78.html
2	CWE-78	https://jvndb.jvn.jp/ja/cwe/CWE-78.html

ベンダー情報

No	Name	URL
Cisco Security Advisory
1	cisco-sa-20181024-webex-injection	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181024-webex-injection
2	cisco-sa-20181024-webex-injection	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181024-webex-injection

Change Log

No	Changed Details	Date of change
1	[2019年03月06日] 掲載	March 6, 2019, 4:25 p.m.