CVE-2021-1503: 
Cisco WebEx Player vulnerability analysis and mitigation

A vulnerability (CVE-2021-1503) was discovered in Cisco Webex Network Recording Player for Windows and MacOS and Cisco Webex Player for Windows and MacOS. The vulnerability was disclosed on June 2, 2021, affecting versions earlier than Release 41.2. This security flaw could allow an attacker to execute arbitrary code on affected systems (Cisco Advisory, SecurityWeek).

The vulnerability is caused by insufficient validation of values in Webex recording files that are in either Advanced Recording Format (ARF) or Webex Recording Format (WRF). It has been assigned a CVSS score of 7.8 (High severity) with the vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating local access, low attack complexity, no privileges required, and user interaction required (Cisco Advisory).

A successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system with the privileges of the targeted user. The attacker could gain control over the affected system by convincing a user to open a malicious ARF or WRF file (Lansweeper, Cisco Advisory).

Cisco has released software updates that address this vulnerability in Cisco Webex Network Recording Player and Cisco Webex Player releases 41.2 and later. For customers who host Cisco Webex Meetings Server on premises, updated releases of Cisco Webex Network Recording Player are available from server releases 3.0 MR4 and later and 4.0 MR4 and later. No workarounds are available for this vulnerability (Cisco Advisory).