Cisco WebEx Meeting Center Web-Based Administrative Interface User Enumeration Vulnerability

A vulnerability in the web-based administrative interface of Cisco WebEx Meeting Center could allow an unauthenticated, remote attacker to enumerate valid usernames and determine if the usernames have administrative privileges.

The vulnerability is due to a logic error in the handling of invalid usernames. An attacker could exploit this vulnerability by submitting a username and analyzing the error returned by the application. The attacker can determine if the user exists in the user database and if the user has administrative privileges based on the error returned by the application.

Cisco has confirmed the vulnerability and released software updates.

A successful exploit may provide an attacker with a valid username stored in the user database of a targeted device. An attacker may use this information as a first step into gathering additional information, in conjunction with social engineering techniques, that could be used to gain unauthorized access to a device.

Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.