Gunnar Assmy - Fotolia

Cisco releases multiple WebEx security patches

The most important of the seven fixes for the WebEx Meeting Server platform remedies a flaw that could allow a cross-site request forgery attack.

Cisco Systems Inc. has released the first major batch of security fixes for its WebEx Meeting Server platform since revamping the product line at the beginning of October 2014.

On Jan. 8 and 9, Cisco released a total of seven new security patches addressing a variety of WebEx security vulnerabilities, all but one of which have been rated as having a CVSS score of "medium."

The most severe flaw would allow a remote attacker to perform a cross-site request forgery (CSRF) attack because of inadequate CSRF protections. The attack could be executed by convincing a user to follow a malicious link or visit an attacker-controlled website.

Cisco's other patches address issues that would allow remote attackers to perform a number of malicious activities, including gaining authenticated administrator access, generating sensitive encrypted values, enumerating valid user accounts or modifying the invite list of scheduled meetings. One uncategorized issue, if left unaddressed, may lead to a remote attacker enumerating valid user accounts.

WebEx, an established Web, video and audio conferencing product, is widely used, though the networking giant hopes the updates it announced last fall will help fend off new virtual conferencing competitors. Cisco has made WebEx multi-platform with versions on all major mobile and desktop OSes, and is also working on Web-based versions using WebRTC and HTML5.

Dig Deeper on Secure remote access