CVE-2020-26068 — Authorization Bypass Through User-Controlled Key in Cisco Telepresence Collaboration Endpoint

CWE-639 — Authorization Bypass Through User-Controlled Key4 documents4 sources

Severity

6.5MEDIUMNVD

CNA5.5

EPSS

0.2%

top 60.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Telepresence Collaboration Endpoint Cisco Telepresence Endpoint Software

Timeline

PublishedNov 18

Latest updateMay 24

Description

A vulnerability in the xAPI service of Cisco Telepresence CE Software and Cisco RoomOS Software could allow an authenticated, remote attacker to generate an access token for an affected device. The vulnerability is due to insufficient access authorization. An attacker could exploit this vulnerability by using the xAPI service to generate a specific token. A successful exploit could allow the attacker to use the generated token to enable experimental features on the device that should not be avai…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:NExploitability: 1.2 | Impact: 5.2

Affected Packages2 packages

▶CVEListV5cisco/cisco_telepresence_endpoint_softwaren/a

▶NVDcisco/telepresence_collaboration_endpoint9.10.0 — 9.10.3+1

🔴Vulnerability Details

GHSA

GHSA-m8hx-3q8c-m23r: A vulnerability in the xAPI service of Cisco Telepresence CE Software and Cisco RoomOS Software could allow an authenticated, remote attacker to gener↗2022-05-24

▶

CVEList

Cisco Telepresence CE Software and RoomOS Software Unauthorized Token Generation Vulnerability↗2020-11-18

▶

📋Vendor Advisories

Cisco

Cisco Telepresence CE Software and RoomOS Software Unauthorized Token Generation Vulnerability↗2020-11-18

▶