Vulnerability Summary
RealPresence Web Suite versions 2.1.2 and earlier do not pause a user’s video immediately upon joining a meeting. Instead, the video will take 2-3 seconds to go blank. During this time a meeting invitee may unknowingly be on camera.
Details
CVE 2018-12592 – WebSuite Exposure of Sensitive Information to an Unauthorized Actor
RealPresence Web Suite before 2.2.0 does not block a user's video for a few seconds upon joining a meeting (when the user has explicitly chosen to turn off the video using a specific option). During those seconds, a meeting invitee may unknowingly be on camera with other participants able to view.
Poly released a firmware update to address this vulnerability.
Published
Last Update: 3/14/2022
Initial Public Release: 6/18/2018
Advisory ID: PLYUI20-23
CVE ID: CVE- 2018-12592
CVSS Score: 7.5
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Product Affected
| PRODUCTS | FIRMWARE | FIX |
|---|---|---|
| RealPresence WebSuite | 2.2.0 and Prior |
2.2.0 and above |
Solution
Poly recommends customers upgrade to firmware build 2.2.0 or later.
Workaround
Poly recommends following standard best practices for Unified Communications, as detailed in our best practices paper.
Contact
Any customer using an affected system who is concerned about this vulnerability within their deployment should contact Poly Technical Support – (888) 248-4143, (916) 928-7561, or visit the Poly Support Site.
RECOGNITION
Poly would like to thank Nirmal Kirubakaran and Nutan Kumar from eBay Security Assessment Team for reporting security vulnerabilities to us and for their coordinated disclosure.
Revision History
| VERSION | DATE | DESCRIPTION |
|---|---|---|
| 1.0 | 6/18/2018 | Initial Release |
| 1.1 | 6/22/2018 | Added CVE ID |
| 2.0 | 3/14/2022 | Format Changes |