Cisco has released software updates that address multiple vulnerabilities in Jabber messaging clients for Windows, macOS, Android, and iOS operating systems.

Exploitation of vulnerabilities could allow an attacker to execute arbitrary programs on the underlying operating system with elevated privileges, access sensitive information, intercept protected network traffic, or cause a Denial of Service (DoS) condition.

In total, five vulnerabilities have been fixed. To exploit the issues, an attacker need to be authenticated to an XMPP server used by the vulnerable software and be able to send XMPP messages.

The most dangerous issue stems from the improper validation of message content (CVE-2021-1411) in the Windows version of the application and received a score of 9.9 out of the maximum 10 on the CVSS scale. An attacker could send specially crafted XMPP messages to a vulnerable client and execute arbitrary code with the same privileges of the user's account.

Cisco has also fixed four other issues in Jabber, including:

CVE-2021-1469 (Windows) - improper validation of message content vulnerability, which could lead to arbitrary code execution.

CVE-2021-1417 (Windows) - validation error of the message content that could be used to leak confidential information.

CVE-2021-1471 (Windows, macOS, Android, iOS) - Certificate validation vulnerability that can be used to intercept network requests and even modify connections between Jabber client and a server.

CVE-2021-1418 (Windows, macOS, Android, iOS) - An issue due to improper validation of message content, which can be exploited by sending crafted XMPP messages causing a Denial of Service (DoS) condition.

Source: securitylab.ru