CVE-2019-1877

Name of the Vulnerable Software and Affected Versions Cisco Enterprise Chat and Email versions prior to 12.0(1)ES1

Description The issue is related to insufficient protection of internal data in the HTTP API component of Cisco Enterprise Chat and Email. This could allow a remote attacker to disclose protected information by sending a specially crafted request. The vulnerability is also due to insufficient authentication mechanisms on the file download function of the API, which could allow an unauthenticated, remote attacker to download files attached through chat sessions.

Recommendations For versions prior to 12.0(1)ES1, update to version 12.0(1)ES1 or later to resolve the issue. As a temporary workaround, consider restricting access to the file download function of the API to minimize the risk of exploitation. Avoid using the API to download files attached through chat sessions until the issue is resolved.