Security News > 2020 > December > Cisco re-patches wormable Jabber RCE flaw
In September 2020, Cisco patched four Jabber vulnerabilities, but as it turns out, three of four have not been sufficiently mitigated.
The incompleteness of the patches was discovered by Watchcom researchers - who discovered and disclosed the batch of vulnerabilities made public in September - after one of their clients requested they verify the effectiveness of Cisco's patches.
In the meantime, discovered two other vulnerabilities that has patched along with these: CVE-2020-27134, a message handling script injection flaw, and CVE-2020-27133, a custom protocol handler command injection vulnerability.
"The vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit another vulnerability," Cisco explained.
Cisco Jabber is a popular video conferencing and instant messaging application that's often used within enterprises for internal communication and collaboration.
News URL
http://feedproxy.google.com/~r/HelpNetSecurity/~3/hOcuQwyJ81U/
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-12-11 | CVE-2020-27133 | Improper Privilege Management vulnerability in Cisco Jabber and Jabber for Mobile Platforms Multiple vulnerabilities in Cisco Jabber for Windows, Jabber for MacOS, and Jabber for mobile platforms could allow an attacker to execute arbitrary programs on the underlying operating system (OS) with elevated privileges or gain access to sensitive information. | 9.9 |
| 2020-12-11 | CVE-2020-27134 | Information Exposure vulnerability in Cisco Jabber and Jabber for Mobile Platforms Multiple vulnerabilities in Cisco Jabber for Windows, Jabber for MacOS, and Jabber for mobile platforms could allow an attacker to execute arbitrary programs on the underlying operating system (OS) with elevated privileges or gain access to sensitive information. | 9.9 |