Accessibility Skip to content

RealPresence WebSuite - Exposure of Private Personal Information to an Unauthorized Actor

Vulnerability Summary

RealPresence Web Suite versions 2.1.2 and earlier do not pause a user’s video immediately upon joining a meeting. Instead, the video will take 2-3 seconds to go blank. During this time a meeting invitee may unknowingly be on camera. 

 

Details

CVE 2018-12592 – WebSuite Exposure of Sensitive Information to an Unauthorized Actor
RealPresence Web Suite before 2.2.0 does not block a user's video for a few seconds upon joining a meeting (when the user has explicitly chosen to turn off the video using a specific option). During those seconds, a meeting invitee may unknowingly be on camera with other participants able to view.

Poly released a firmware update to address this vulnerability.  

Published

Last Update: 3/14/2022
Initial Public Release: 6/18/2018
Advisory ID:  PLYUI20-23

CVE ID: CVE- 2018-12592
CVSS Score: 7.5
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Product Affected
PRODUCTS FIRMWARE FIX
RealPresence WebSuite

2.2.0 and Prior

2.2.0 and above
Solution

Poly recommends customers upgrade to firmware build 2.2.0 or later. 

 

Workaround

Poly recommends following standard best practices for Unified Communications, as detailed in our best practices paper.

Contact

Any customer using an affected system who is concerned about this vulnerability within their deployment should contact Poly Technical Support(888) 248-4143, (916) 928-7561, or visit the Poly Support Site.

 

RECOGNITION

Poly would like to thank Nirmal Kirubakaran and Nutan Kumar from eBay Security Assessment Team for reporting security vulnerabilities to us and for their coordinated disclosure.

Revision History
VERSION DATE DESCRIPTION
1.0 6/18/2018 Initial Release
1.1 6/22/2018 Added CVE ID
2.0 3/14/2022 Format Changes