Security Experts:

Connect with us

Hi, what are you looking for?



Cisco Patches Critical Vulnerability in Jabber for Windows

Cisco last week released patches to address a critical remote code execution vulnerability in Jabber for Windows.

Cisco last week released patches to address a critical remote code execution vulnerability in Jabber for Windows.

Tracked as CVE-2020-3495 and featuring a CVSS score of 9.9, the flaw can be exploited remotely without authentication through sending a specially crafted Extensible Messaging and Presence Protocol (XMPP) message to a vulnerable application.

The issue exists because the software fails to properly validate message contents. An attacker able to successfully exploit the vulnerability could execute arbitrary programs on the target system, likely gaining code execution capabilities, Cisco says.

Watchcom, the security firm that identified the flaw in the video conferencing and instant messaging application, explains that the code execution is the result of Cross Site Scripting (XSS) through XHTML-IM messages.

The XSS filter used to sanitize incoming HTML messages was found to be flawed and could be bypassed using the onanimationstart attribute, which specifies “a JavaScript function that will be called when an element’s CSS animation starts playing,” Watchcom says.

“Cisco Jabber uses XHTML-IM by default for all messages. A malicious message can therefore easily be created by intercepting an XMPP message sent by the application and modifying it. Attackers can do this manually on their own machine or it can be automated to create a worm that spreads automatically,” the company continues.

An attacker looking to exploit the vulnerability needs to send XMPP messages to PCs running Jabber for Windows, and may require access to “the same XMPP domain or another method of access to be able to send messages to clients,” the tech company explains.

Furthermore, Cisco notes that the attacker could cause the affected program to “run an arbitrary executable that already exists within the local file path of the application.”

The file would be executed with the same privileges as those of the user who launched the Jabber client application. The issue does not affect systems where Jabber is used in phone-only mode, without XMPP messaging services enabled. Exploitation is not possible when Jabber is configured to use other messaging services than XMPP.

The tech company also released patches to address a high-severity remote command execution flaw in the application protocol handling features of Jabber for Windows, which exists due to improper handling of input to the application protocol handlers.

Featuring a CVSS score of 8.8 and tracked as CVE-2020-3430, the bug can be exploited only on systems where Jabber is not currently running. To exploit the vulnerability, an attacker would need to trick a user “to click a link designed to send malicious content to the Cisco Jabber application.”

While there are no workarounds to address these security bugs, Cisco has already released updates to patch them. Jabber for Windows versions 12.1.3, 12.5.2, 12.6.3, 12.7.2, 12.8.3, and 12.9.1 contain the necessary fixes.

Cisco says it is not aware of these bugs being actively exploited.

On Wednesday, the company also published advisories related to three other high-risk issues: file overwrite (CVE-2020-3478) in Enterprise NFV Infrastructure Software (NFVIS) and privilege escalation (CVE-2020-3530 and CVE-2020-3473) flaws in IOS XR software.

Ten other advisories were published to provide information on eleven vulnerabilities affecting Webex; Email Security Appliance, Content Security Management Appliance, and Web Security Appliance; Small Business RV340 series routers; NFVIS; Jabber for Windows; FXOS software; and Email Security Appliance.

Technical details on all these vulnerabilities are available on the Cisco Security website.

Related: Cisco Says Hackers Targeting Zero-Days in Carrier-Grade Routers

Related: Cisco Patches High-Severity Vulnerabilities in NX-OS Software

Related: Default Credentials Expose Cisco ENCS, CSP Appliances to Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.