CVE-2024-20270: XSS
First published: Wed Jan 17 2024(Updated: )
A vulnerability in the web-based management interface of Cisco BroadWorks Application Delivery Platform and Cisco BroadWorks Xtended Services Platform could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
Credit: ykramarz@cisco.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cisco BroadWorks Xtended Services Platform | >=24.0.2023.01<24.0.2023.10 | |
| Cisco BroadWorks Xtended Services Platform | >=25.0.2023.01<25.0.2023.10 | |
| Cisco BroadWorks Xtended Services Platform | =23.0.2024.01 | |
| Cisco BroadWorks Application Delivery Platform | >=24.0.2023.01<24.0.2023.10 | |
| Cisco BroadWorks Application Delivery Platform | >=25.0.2023.01<25.0.2023.10 | |
| Cisco BroadWorks Application Delivery Platform | =23.0.2024.01 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-20270?
CVE-2024-20270 is considered a medium severity vulnerability due to its ability to enable stored XSS attacks against authenticated users.
How do I fix CVE-2024-20270?
To address CVE-2024-20270, update the Cisco BroadWorks Application Delivery Platform or BroadWorks Xtended Services Platform to the latest versions released by Cisco.
Who is affected by CVE-2024-20270?
CVE-2024-20270 affects users of Cisco BroadWorks Application Delivery Platform and BroadWorks Xtended Services Platform versions between 24.0.2023.01 and 24.0.2023.10, as well as 25.0.2023.01 to 25.0.2023.10, and 23.0.2024.01.
What type of attack can be executed using CVE-2024-20270?
CVE-2024-20270 allows an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack.
Is CVE-2024-20270 exploitable without authentication?
No, CVE-2024-20270 requires authentication to exploit the stored XSS vulnerability.
- agent/references
- agent/type
- agent/description
- agent/first-publish-date
- agent/author
- agent/severity
- agent/softwarecombine
- agent/tags
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/event
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/source
- vendor/cisco
- canonical/cisco broadworks xtended services platform
- version/cisco broadworks xtended services platform/24.0.2023.01
- version/cisco broadworks xtended services platform/25.0.2023.01
- version/cisco broadworks xtended services platform/23.0.2024.01
- canonical/cisco broadworks application delivery platform
- version/cisco broadworks application delivery platform/24.0.2023.01
- version/cisco broadworks application delivery platform/25.0.2023.01
- version/cisco broadworks application delivery platform/23.0.2024.01