Security Experts:

Connect with us

Hi, what are you looking for?



Cisco Patches Critical Vulnerability in Jabber for Windows

Cisco last week released patches to address a critical remote code execution vulnerability in Jabber for Windows.

Cisco last week released patches to address a critical remote code execution vulnerability in Jabber for Windows.

Tracked as CVE-2020-3495 and featuring a CVSS score of 9.9, the flaw can be exploited remotely without authentication through sending a specially crafted Extensible Messaging and Presence Protocol (XMPP) message to a vulnerable application.

The issue exists because the software fails to properly validate message contents. An attacker able to successfully exploit the vulnerability could execute arbitrary programs on the target system, likely gaining code execution capabilities, Cisco says.

Watchcom, the security firm that identified the flaw in the video conferencing and instant messaging application, explains that the code execution is the result of Cross Site Scripting (XSS) through XHTML-IM messages.

The XSS filter used to sanitize incoming HTML messages was found to be flawed and could be bypassed using the onanimationstart attribute, which specifies “a JavaScript function that will be called when an element’s CSS animation starts playing,” Watchcom says.

“Cisco Jabber uses XHTML-IM by default for all messages. A malicious message can therefore easily be created by intercepting an XMPP message sent by the application and modifying it. Attackers can do this manually on their own machine or it can be automated to create a worm that spreads automatically,” the company continues.

An attacker looking to exploit the vulnerability needs to send XMPP messages to PCs running Jabber for Windows, and may require access to “the same XMPP domain or another method of access to be able to send messages to clients,” the tech company explains.

Furthermore, Cisco notes that the attacker could cause the affected program to “run an arbitrary executable that already exists within the local file path of the application.”

The file would be executed with the same privileges as those of the user who launched the Jabber client application. The issue does not affect systems where Jabber is used in phone-only mode, without XMPP messaging services enabled. Exploitation is not possible when Jabber is configured to use other messaging services than XMPP.

The tech company also released patches to address a high-severity remote command execution flaw in the application protocol handling features of Jabber for Windows, which exists due to improper handling of input to the application protocol handlers.

Featuring a CVSS score of 8.8 and tracked as CVE-2020-3430, the bug can be exploited only on systems where Jabber is not currently running. To exploit the vulnerability, an attacker would need to trick a user “to click a link designed to send malicious content to the Cisco Jabber application.”

While there are no workarounds to address these security bugs, Cisco has already released updates to patch them. Jabber for Windows versions 12.1.3, 12.5.2, 12.6.3, 12.7.2, 12.8.3, and 12.9.1 contain the necessary fixes.

Cisco says it is not aware of these bugs being actively exploited.

On Wednesday, the company also published advisories related to three other high-risk issues: file overwrite (CVE-2020-3478) in Enterprise NFV Infrastructure Software (NFVIS) and privilege escalation (CVE-2020-3530 and CVE-2020-3473) flaws in IOS XR software.

Ten other advisories were published to provide information on eleven vulnerabilities affecting Webex; Email Security Appliance, Content Security Management Appliance, and Web Security Appliance; Small Business RV340 series routers; NFVIS; Jabber for Windows; FXOS software; and Email Security Appliance.

Technical details on all these vulnerabilities are available on the Cisco Security website.

Related: Cisco Says Hackers Targeting Zero-Days in Carrier-Grade Routers

Related: Cisco Patches High-Severity Vulnerabilities in NX-OS Software

Related: Default Credentials Expose Cisco ENCS, CSP Appliances to Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.