First published: Tue Nov 21 2023(Updated: )
A vulnerability in the web-based management interface of a small subset of Cisco IP Phones could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by persuading a user of an affected interface to view a page containing malicious HTML or script content. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid credentials to access the web-based management interface of the affected device.
Credit: ykramarz@cisco.com
Affected Software | Affected Version | How to fix |
---|---|---|
All of | ||
Cisco Ip Dect 110 Firmware | <5.1.2sr1 | |
Cisco Ip Dect 110 | ||
All of | ||
Cisco Ip Dect 210 Firmware | <5.1.2sr1 | |
Cisco Ip Dect 210 | ||
All of | ||
Cisco Unified Ip Phone 6901 Firmware | >=9.0<9.3\(1\)sr3 | |
Cisco Unified Ip Phone 6901 | ||
All of | ||
Cisco Unified Sip Phone 3905 Firmware | >=9.0<9.4\(1\)sr4 | |
Cisco Unified SIP Phone 3905 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this Cisco IP Phone vulnerability is CVE-2023-20265.
The severity of CVE-2023-20265 is medium (CVSS score 5.5).
This vulnerability occurs due to insufficient validation of user-supplied input in the web-based management interface of affected Cisco IP Phones.
An authenticated, remote attacker could exploit this vulnerability to conduct a stored cross-site scripting (XSS) attack against a user of the interface on the affected device.
It is recommended to refer to the Cisco Security Advisory referenced in the description for available patches or mitigations for CVE-2023-20265.