CVE-2020-3143

Name of the Vulnerable Software and Affected Versions Cisco TelePresence Collaboration Endpoint (CE) Software (affected versions not specified) Cisco TelePresence Codec (TC) Software (affected versions not specified) Cisco RoomOS Software (affected versions not specified)

Description A vulnerability in the video endpoint API (xAPI) could allow an authenticated, remote attacker to conduct directory traversal attacks on an affected device. The issue is due to insufficient validation of user-supplied input to the xAPI. An attacker could exploit this by sending a crafted request to the xAPI, potentially allowing them to read and write arbitrary files in the system. To exploit this, an attacker would need either an In-Room Control or administrator account.

Recommendations For Cisco TelePresence Collaboration Endpoint (CE) Software, update to a version that includes the fix for this issue. For Cisco TelePresence Codec (TC) Software, update to a version that includes the fix for this issue. For Cisco RoomOS Software, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the xAPI to minimize the risk of exploitation.