9.3
CVSSv2

CVE-2017-6753

Published: 25/07/2017 Updated: 09/10/2019
CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6
CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8
VMScore: 828
Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Summary

A vulnerability in Cisco WebEx browser extensions for Google Chrome and Mozilla Firefox could allow an unauthenticated, remote malicious user to execute arbitrary code with the privileges of the affected browser on an affected system. This vulnerability affects the browser extensions for Cisco WebEx Meetings Server, Cisco WebEx Centers (Meeting Center, Event Center, Training Center, and Support Center), and Cisco WebEx Meetings when they are running on Microsoft Windows. The vulnerability is due to a design defect in the extension. An attacker who can convince an affected user to visit an attacker-controlled web page or follow an attacker-supplied link with an affected browser could exploit the vulnerability. If successful, the attacker could execute arbitrary code with the privileges of the affected browser. The following versions of the Cisco WebEx browser extensions are affected: Versions before 1.0.12 of the Cisco WebEx extension on Google Chrome, Versions before 1.0.12 of the Cisco WebEx extension on Mozilla Firefox. Cisco Bug IDs: CSCvf15012 CSCvf15020 CSCvf15030 CSCvf15033 CSCvf15036 CSCvf15037.

Vulnerability Trend

Vendor Advisories

A vulnerability in Cisco WebEx browser extensions for Google Chrome and Mozilla Firefox could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the affected browser on an affected system This vulnerability affects the browser extensions for Cisco WebEx Meetings Server, Cisco WebEx Centers (Meeting Center, ...

Recent Articles

Cisco plugs command-injection hole in WebEx Chrome, Firefox plugins
The Register • Shaun Nichols in San Francisco • 17 Jul 2017

Make sure you've updated if you're using Windows

Cisco has patched its Chrome and Firefox WebEx plugins to kill a bug that allows evil webpages to execute commands on computers.
A malicious page, when visited by a vulnerable Windows machine, can exploit the security flaw (CVE-2017-6753) to run arbitrary commands and code with the same privileges as the browser. In other words, the page can abuse the installed plugins to hijack the PC.
The hole is present in the Chrome and Firefox plugins for Cisco WebEx Meetings Server and Cisco We...