Security News > 2020 > December > Cisco fixes new Jabber for Windows critical code execution bug
Cisco has addressed a new critical severity remote code execution vulnerability affecting several versions of Cisco Jabber for Windows, macOS, and mobile platforms after patching a related security bug in September.
Cisco released security updates in September to address a critical RCE security vulnerability tracked as CVE-2020-3495 stemming from a Cross-Site Scripting bug in Cisco Jabber.
Just as the previous flaw, the newly discovered RCE vulnerability tracked as CVE-2020-26085 is an XSS bug that can allow attackers to execute arbitrary code remotely by escaping Cisco Jabber's CEF sandbox.
The third and last vulnerability discovered while auditing Cisco's September patches is caused by a command injection bug in the app's custom protocol handlers that can enable attackers to take over the browser embedded in the targets' Cisco Jabber client.
25th September 2020: New vulnerabilities discovered and reported to Cisco PSIRT. Case number assigned by Cisco.
News URL
Related news
- Cisco warns of critical RCE zero-days in end of life IP phones (source)
- Critical WPML Plugin Flaw Exposes WordPress Sites to Remote Code Execution (source)
- Proof-of-concept code released for zero-click critical IPv6 Windows hole (source)
- Week in review: SonicWall critical firewalls flaw fixed, APT exploits WPS Office for Windows RCE (source)
- Cisco Fixes Two Critical Flaws in Smart Licensing Utility to Prevent Remote Attacks (source)
- Apache fixes critical OFBiz remote code execution vulnerability (source)
- Patch Issued for Critical VMware vCenter Flaw Allowing Remote Code Execution (source)
- Critical Flaw in Microchip ASF Exposes IoT Devices to Remote Code Execution Risk (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-01-07 | CVE-2020-26085 | OS Command Injection vulnerability in Cisco Jabber Multiple vulnerabilities in Cisco Jabber for Windows, Jabber for MacOS, and Jabber for mobile platforms could allow an attacker to execute arbitrary programs on the underlying operating system (OS) with elevated privileges or gain access to sensitive information. | 9.9 |
| 2020-09-04 | CVE-2020-3495 | Improper Input Validation vulnerability in Cisco Jabber A vulnerability in Cisco Jabber for Windows could allow an authenticated, remote attacker to execute arbitrary code. | 8.8 |