CVE-2019-1877 — Sensitive Information Exposure in Cisco Enterprise Chat AND Email

CWE-200 — Sensitive Information Exposure CWE-287 — Improper Authentication4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

1.3%

top 20.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Enterprise Chat AND Email Cisco Enterprise Chat AND Email

Timeline

PublishedNov 5

Latest updateMay 24

Description

A vulnerability in the HTTP API of Cisco Enterprise Chat and Email could allow an unauthenticated, remote attacker to download files attached through chat sessions. The vulnerability is due to insufficient authentication mechanisms on the file download function of the API. An attacker could exploit this vulnerability by sending a crafted request to the API. A successful exploit could allow the attacker to download files that other users attach through the chat feature. This vulnerability affects…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5cisco/cisco_enterprise_chat_and_emailunspecified — 12.0(1)ES1

▶NVDcisco/enterprise_chat_and_email11.6\(1\)es9

🔴Vulnerability Details

GHSA

GHSA-mcq8-w4cg-w5v4: A vulnerability in the HTTP API of Cisco Enterprise Chat and Email could allow an unauthenticated, remote attacker to download files attached through↗2022-05-24

▶

CVEList

Cisco Enterprise Chat and Email Attachment Download Vulnerability↗2019-11-05

▶

📋Vendor Advisories

Cisco

Cisco Enterprise Chat and Email Attachment Download Vulnerability↗2019-06-19

▶