CVE-2017-12310

Name of the Vulnerable Software and Affected Versions: Cisco Spark Hybrid Calendar Service (affected versions not specified)

Description: A vulnerability in the auto discovery phase could allow an unauthenticated, remote attacker to view sensitive information in the unencrypted headers of an HTTP method request. This information could be used to conduct additional reconnaissance attacks, potentially leading to the disclosure of sensitive customer data. The vulnerability exists due to an unencrypted HTTP request made during the auto discovery phase, which is a requirement for implementing the Hybrid Calendar service. An attacker could exploit this by monitoring the unencrypted traffic on the network, potentially accessing sensitive customer data, such as email and calendar events belonging to Office365 users.

Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.