Vulnerability in Cisco Spark Hybrid Calendar Service Exposes Sensitive Data
CVE-2017-12310
7.5HIGH
Key Information:
- Vendor
- Cisco
- Vendor
- CVE Published:
- 27 March 2018
Summary
A vulnerability in the auto discovery phase of Cisco Spark Hybrid Calendar Service could enable an unauthenticated, remote attacker to view sensitive information present in unencrypted HTTP request headers. Specifically, during the implementation of the Hybrid Calendar service, unencrypted requests are made, allowing attackers to intercept and monitor network traffic. This exploit allows unauthorized access to sensitive customer data, including email and calendar events for Office365 users, exposing them to potential further attacks. For more details, consult Cisco's advisory on the matter.
Affected Version(s)
Cisco Spark Hybrid Calendar Service Cisco Spark Hybrid Calendar Service
References
CVSS V3.1
Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved