Vulnerability in Cisco Spark Hybrid Calendar Service Exposes Sensitive Data
CVE-2017-12310

7.5HIGH

Key Information:

Vendor: Cisco
Status: Cisco Spark Hybrid Calendar Service
Vendor: CVE Published:; 27 March 2018

What is CVE-2017-12310?

A vulnerability in the auto discovery phase of Cisco Spark Hybrid Calendar Service could enable an unauthenticated, remote attacker to view sensitive information present in unencrypted HTTP request headers. Specifically, during the implementation of the Hybrid Calendar service, unencrypted requests are made, allowing attackers to intercept and monitor network traffic. This exploit allows unauthorized access to sensitive customer data, including email and calendar events for Office365 users, exposing them to potential further attacks. For more details, consult Cisco's advisory on the matter.

Affected Version(s)

Cisco Spark Hybrid Calendar Service Cisco Spark Hybrid Calendar Service

References

https://tools.cisco.com/security/center/content/CiscoSecu...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 27, 2018
Vulnerability Reserved
Aug 3, 2017