CVE-2020-3319

low-risk
Published 2020-06-03

A vulnerability in Cisco Webex Network Recording Player and Cisco Webex Player for Microsoft Windows could allow an attacker to cause a process crash resulting in a Denial of service (DoS) condition for the player application on an affected system. The vulnerability exists due to insufficient validation of certain elements with a Webex recording stored in either the Advanced Recording Format (ARF) or the Webex Recording Format (WRF). An attacker could exploit this vulnerability by sending a user a malicious ARF or WRF file through a link or email attachment and persuading the user to open the file with the affected software on the local system. A successful exploit could allow the attacker to cause the Webex player application to crash when trying to view the malicious file. This vulnerability affects Cisco Webex Network Recording Player and Webex Player releases earlier than Release 3.0 MR3 Security Patch 2 and 4.0 MR3.

Do I need to act?

-
0.35% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
3
CVSS 3.3/10 Low
LOCAL / LOW complexity

Affected Products (3)

Webex Network Recording Player
Webex Network Recording Player
Webex Player

Affected Vendors

Cisco

References (2)

Vendor Advisory https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs98254
Vendor Advisory https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs98254
23
/ 100
low-risk
Severity 13/34 · Low
Exploitability 1/34 · Minimal
Exposure 9/34 · Low