CVE-2021-1526: 
Cisco WebEx Player vulnerability analysis and mitigation

A vulnerability (CVE-2021-1526) was discovered in Cisco Webex Player for Windows and MacOS that could allow an attacker to execute arbitrary code on affected systems. The vulnerability was disclosed on June 2, 2021, affecting Cisco Webex Player releases earlier than 41.5. This security flaw is due to insufficient validation of values in Webex recording files that are in Webex Recording Format (WRF) (Cisco Advisory).

The vulnerability is classified as a memory corruption issue with a CVSS v3.1 base score of 7.8 HIGH (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). The flaw is identified as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-787 (Out-of-bounds Write). The issue specifically affects the parsing of WRF files due to insufficient validation of user-supplied data (Cisco Advisory, NVD).

A successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system with the privileges of the targeted user. The vulnerability affects both Windows and MacOS versions of the Cisco Webex Player (Cisco Advisory).

Cisco addressed this vulnerability by releasing version 41.5 and later of the Webex Player. No workarounds are available for this vulnerability. Users are advised to update to the latest version available from the Cisco Webex Video Recording page or corresponding Cisco Webex Meetings sites (Cisco Advisory).