Strix
26.1K

CVE-2017-3823

UnknownEPSS 27.23%

Last modified

CVE-2017-3823 is a vulnerability of currently unknown severity. An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Container before 106 on Mozilla Firefox, the GpcContainer Class ActiveX control plugin before 10031.6.2017.0126 on Internet Explorer, and the Download Manager ActiveX control plugin before 2.1.0.10 on Internet Explorer. A vulnerability in these Cisco WebEx browser extensions could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the affected browser on an affected system. EPSS estimates a 27.23% chance of exploitation in the next 30 days.

Description

An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Container before 106 on Mozilla Firefox, the GpcContainer Class ActiveX control plugin before 10031.6.2017.0126 on Internet Explorer, and the Download Manager ActiveX control plugin before 2.1.0.10 on Internet Explorer. A vulnerability in these Cisco WebEx browser extensions could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the affected browser on an affected system. This vulnerability affects the browser extensions for Cisco WebEx Meetings Server and Cisco WebEx Centers (Meeting Center, Event Center, Training Center, and Support Center) when they are running on Microsoft Windows. The vulnerability is a design defect in an application programing interface (API) response parser within the extension. An attacker that can convince an affected user to visit an attacker-controlled web page or follow an attacker-supplied link with an affected browser could exploit the vulnerability. If successful, the attacker could execute arbitrary code with the privileges of the affected browser.

Metrics

EPSS Probability
27.23%

97.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
CiscoActivetouch General Plugin Container105
CiscoDownload Manager2.1.0.9
CiscoGpccontainer Class<= 10031.6.2017.0125
CiscoWebex<= 1.0.6
CiscoWebex Meetings Server2.0_base
CiscoWebex Meetings Server2.0_mr2
CiscoWebex Meetings Server2.0_mr3
CiscoWebex Meetings Server2.0_mr4
CiscoWebex Meetings Server2.0_mr5
CiscoWebex Meetings Server2.0_mr6
CiscoWebex Meetings Server2.0_mr7
CiscoWebex Meetings Server2.0_mr8
CiscoWebex Meetings Server2.0_mr9
CiscoWebex Meetings Server2.5_base
CiscoWebex Meetings Server2.5_mr1
CiscoWebex Meetings Server2.5_mr2
CiscoWebex Meetings Server2.5_mr3
CiscoWebex Meetings Server2.5_mr4
CiscoWebex Meetings Server2.5_mr5
CiscoWebex Meetings Server2.5_mr6
CiscoWebex Meetings Server2.6_base
CiscoWebex Meetings Server2.6_mr1
CiscoWebex Meetings Server2.6_mr2
CiscoWebex Meetings Server2.6_mr3
CiscoWebex Meetings Server2.7_base
CiscoWebex Meetings Server2.7_mr1
CiscoWebex Meetings Server2.7_mr2
CiscoWebex Meeting Center2.6_base
CiscoWebex Meeting Center2.6_mr1
CiscoWebex Meeting Center2.6_mr2
CiscoWebex Meeting Center2.6_mr3
CiscoWebex Meeting Center2.7_base
CiscoWebex Meeting Center2.7_mr1
CiscoWebex Meeting Center2.7_mr2
CiscoWebex Meeting Centert29_base
CiscoWebex Meeting Centert30_base
CiscoWebex Meeting Centert31_base

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2017-3823?
An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Container before 106 on Mozilla Firefox, the GpcContainer Class ActiveX control plugin before 10031.6.2017.0126 on Internet Explorer, and the Download Manager ActiveX control plugin before 2.1.0.10 on Internet Explorer. A vulnerability in these Cisco WebEx browser extensions could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the affected browser on an affected system. This vulnerability affects the browser extensions for Cisco WebEx Meetings Server and Cisco WebEx Centers (Meeting Center, Event Center, Training Center, and Support Center) when they are running on Microsoft Windows. The vulnerability is a design defect in an application programing interface (API) response parser within the extension. An attacker that can convince an affected user to visit an attacker-controlled web page or follow an attacker-supplied link with an affected browser could exploit the vulnerability. If successful, the attacker could execute arbitrary code with the privileges of the affected browser.
How severe is CVE-2017-3823?
Severity scoring for CVE-2017-3823 is pending analysis. The EPSS model estimates a 27.23% probability of exploitation in the next 30 days.
How do I fix CVE-2017-3823?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2017-3823?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST