Vulnerability Details : CVE-2019-15987
A vulnerability in web interface of the Cisco Webex Event Center, Cisco Webex Meeting Center, Cisco Webex Support Center, and Cisco Webex Training Center could allow an unauthenticated, remote attacker to guess account usernames. The vulnerability is due to missing CAPTCHA protection in certain URLs. An attacker could exploit this vulnerability by sending a crafted request to the web interface. A successful exploit could allow the attacker to know if a given username is valid and find the real name of the user.
Vulnerability category: BypassGain privilege
Products affected by CVE-2019-15987
- cpe:2.3:a:cisco:webex_meeting_center:-:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:webex_training_center:-:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:webex_meetings_server:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:webex_event_center:-:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:webex_support_center:-:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:webex_meetings_online:11.0.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-15987
0.13%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 48 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-15987
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
5.3
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
3.9
|
1.4
|
Cisco Systems, Inc. | |
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
3.9
|
1.4
|
NIST |
CWE ids for CVE-2019-15987
-
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Assigned by:
- nvd@nist.gov (Primary)
- ykramarz@cisco.com (Secondary)
References for CVE-2019-15987
-
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191120-webex-centers-infodis
Cisco WebEx Centers Username Enumeration Information Disclosure VulnerabilityVendor Advisory
Jump to