Cisco has encountered a new Critical Remote Code Execution (RCE) vulnerability affecting several versions of Cisco Jabber for Windows, macOS, and mobile platforms after fixing a related security bug in September.
Cisco Jabber is a desktop instant messaging and web conferencing application created using the Chromium Embedded Framework (CEF).
The application provides messages between users using the Extensible Messaging and Presence Protocol (XMPP) and also provides them with presentation capabilities and common use of the desktop.
RCE due to insufficient mitigation
Cisco released some security updates in September to address a critical RCE security vulnerability named CVE-2020-3495 due to an error Cross-Site Scripting (XSS) in Cisco Jabber.
Since then, a new vulnerability in RCE has been found by Watchcom researchers who reported it to Cisco after testing whether patch September completely corrected CVE-2020-3495.
"Patch updates are now available and we invite all Cisco Jabber users to make the updates as soon as possible!"
In all, the researchers reported four client vulnerabilities in Cisco Jabber in September, and found that three of them were not adequately mitigated by patches of Cisco.
Source of information: bleepingcomputer.com