Cisco released 14 security advisories on January 8 with two being rated as having a potentially high impact and the remainder listed as medium issues.
The two rated high are CVE-2019-16005 and CVE-2019-16009.
The first is a Cisco Webex video mesh node comm and injection vulnerability that if exploited could allow an authenticated, remote attacker to execute arbitrary commands on the affected system.
The latter is a vulnerability in the web UI of Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. This is due to insufficient CSRF protections for the web UI on an affected device.
The medium-rated CVE-2020-3116 is vulnerability in the way Cisco Webex applications process Universal Communications Format (UCF) files that could allow an attacker to cause a DoS condition. This flaw can be exploited if an attacker sends a user a malicious UCF file through a link or email attachment and persuades the user to open the file with the affected software on the local system.
The company also noted a vulnerability in the web-based GUI of its IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware. If exploited it could allow an authenticated, remote attacker to conduct a XSS attack against a user of the web-based interface of an affected system.
Patches are available for all the vulnerabilities and Cisco recommends users update their systems accordingly.
