CVE-2020-26068 vulnerability in Cisco Products
Published on November 18, 2020
Cisco Telepresence CE Software and RoomOS Software Unauthorized Token Generation Vulnerability
A vulnerability in the xAPI service of Cisco Telepresence CE Software and Cisco RoomOS Software could allow an authenticated, remote attacker to generate an access token for an affected device. The vulnerability is due to insufficient access authorization. An attacker could exploit this vulnerability by using the xAPI service to generate a specific token. A successful exploit could allow the attacker to use the generated token to enable experimental features on the device that should not be available to users.
Vulnerability Analysis
CVE-2020-26068 is exploitable with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is an Insecure Direct Object Reference / IDOR Vulnerability?
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CVE-2020-26068 has been classified to as an Insecure Direct Object Reference / IDOR vulnerability or weakness.
Products Associated with CVE-2020-26068
stack.watch emails you whenever new vulnerabilities are published in Cisco Roomos or Cisco Telepresence Collaboration Endpoint. Just hit a watch button to start following.
Affected Versions
Cisco TelePresence Endpoint Software (TC/CE) Version n/a is affected by CVE-2020-26068Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.