Cisco is again patching major vulnerabilities in Jabber that enabled rce
Cisco has again fixed a remote code execution vulnerability in its Jabber messaging software. The hole, which came to light in September, turned out to be incorrectly patched at the time and now treated again by Cisco. The hole is given a CVSS score of 9.9.
This is a vulnerability in the chat section of Jabber. An attacker could gain remote code execution privileges from the target with a single message that could not be identified as being wrong. This is because the app is unable to properly filter malicious elements. The target can be any user and the only solution is to update to the recently released version; there are no workarounds and all platforms are affected. Both in September and now, the security company Watchcom is calling the shots.
The vulnerabilities are CVE-2020-26085, 27132, 27133, 27134 and 27127. In its report, Cisco has an overview of which versions of its releases no longer have the vulnerability. The advice of the security company that exposes the vulnerabilities then and now is to update immediately and block external communications until that is done.
Proof of concept at the time of the first announcement, early September 2020