Description
A vulnerability in the video endpoint API (xAPI) of Cisco TelePresence Collaboration Endpoint (CE) Software, Cisco TelePresence Codec (TC) Software, and Cisco RoomOS Software could allow an authenticated, remote attacker to conduct directory traversal attacks on an affected device. The vulnerability is due to insufficient validation of user-supplied input to the xAPI of the affected software. An attacker could exploit this vulnerability by sending a crafted request to the xAPI. A successful exploit could allow the attacker to read and write arbitrary files in the system. To exploit this vulnerability, an attacker would need either an In-Room Control or administrator account.
References (1)
Core 1
Core References
Vendor Advisory vendor-advisory
x_refsource_cisco
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-telepresence-path-tr-wdrnYEZZ
Scores
CVSS v3
7.2
EPSS
0.0169
EPSS Percentile
82.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-22
Status
published
Products (21)
cisco/ex60_firmware
cisco/ex90_firmware
cisco/sx10_firmware
cisco/sx20_firmware
cisco/sx80_firmware
cisco/telepresence_codec_c40_firmware
cisco/telepresence_codec_c60_firmware
cisco/telepresence_codec_c90_firmware
cisco/telepresence_mx200_firmware
cisco/telepresence_mx300_firmware
... and 11 more
Published
Sep 23, 2020
Tracked Since
Feb 18, 2026