Security News > 2020 > December > Zero-Click Wormable RCE Vulnerability in Cisco Jabber Gets Fixed, Again

The bug impacts Cisco Jabber for Windows, Jabber for MacOS and the Jabber for mobile platforms.

The most serious of the bugs, a cross-site scripting flaw, impacts Cisco Jabber for Windows and Cisco Jabber for MacOS. The flaw allow an authenticated, remote attacker to execute programs on a targeted system.

"The vulnerability is due to improper validation of message contents. An attacker could exploit this vulnerability by sending specially crafted XMPP messages to the affected software. A successful exploit could allow the attacker to cause the application to execute arbitrary programs on the targeted system with the privileges of the user account that is running the Cisco Jabber client software, possibly resulting in arbitrary code execution," Cisco wrote.

"The vulnerability is due to improper validation of message contents. An attacker could exploit this vulnerability by sending specially crafted XMPP messages to the affected software. By convincing a targeted user to interact with a message, an attacker could inject arbitrary script code within the Jabber message window interface," according to the Cisco bulletinCisco explained the vulnerabilities are not dependent on one another.

"An attacker could exploit this vulnerability by convincing a user to click a link within a message sent by email or other messaging platform. A successful exploit could allow the attacker to execute arbitrary commands on a targeted system with the privileges of the user account that is running the Cisco Jabber client software," Cisco said.

News URL

https://threatpost.com/critical-cisco-jabber-bug-get-updated-fix/162143/