Summary

• A vulnerability in Cisco WebEx Training Center could allow an unauthenticated, remote attacker to view the session number for trainings that require host approval before the host approves the attacker as an attendee.
  
  The vulnerability is due to inappropriate disclosure of sensitive information in server replies to clients. An attacker could exploit this vulnerability by viewing the source for the vulnerable pages. An attacker with a valid session number can use that number to join the audio portion of a conference even if the host has not approved the attacker as an attendee. The attacker would still require approval to join the web conference.
  
  Cisco has confirmed the vulnerability in a security notice; however, software updates are not available.
  
  Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.

Affected Products

• Customers are advised to consult Cisco bug ID CSCul57126 for the most complete list of affected product versions.

  Vulnerable Products

  Cisco WebEx Training Center is vulnerable.

  Products Confirmed Not Vulnerable

  No other Cisco products are currently known to be affected by these vulnerabilities.

Workarounds

• Administrators are advised to contact the vendor regarding future updates and releases.
  
  Administrators are advised to allow only trusted users to have network access.
  
  Administrators are advised to monitor affected systems.

Fixed Software

• Software updates are not available.

Exploitation and Public Announcements

• The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

URL

• http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/Cisco-SA-20131213-CVE-2013-6972

Revision History

• Version	Description	Section	Status	Date
  1.0	Initial Release	NA	Final	2013-Dec-13

  Show Less