Cisco Jabber CVEs

I have discovered and disclosed 7 different vulnerabilities in Cisco Jabber in 2020. The tables below show the CVE number and CVSS score for each of the vulnerabilities. For more details, see my blog post or the original and follow-up articles on Watchcom's website.

First four vulnerabilities, disclosed in September 2020:

CVE ID Title CVSS
CVE-2020-3495 Cisco Jabber Message Handling Arbitrary Code Execution 9.9
CVE-2020-3430 Cisco Jabber Protocol Handler Command Injection 8.8
CVE-2020-3498 Cisco Jabber Information Disclosure 6.5
CVE-2020-3537 Cisco Jabber Universal Naming Convention Link Handling 5.7

Three new vulnerabilities, disclosed in December 2020:

CVE ID Title CVSS
CVE-2020-26085 Cisco Jabber Cross-Site Scripting leading to RCE 9.9
CVE-2020-27132 Cisco Jabber Password Hash Stealing Information Disclosure 6.5
CVE-2020-27127 Cisco Jabber Custom Protocol Handler Command Injection 4.3