Access Control Bypass in Cisco TelePresence and RoomOS Software
CVE-2023-20002

4.4MEDIUM

Key Information:

Vendor: Cisco
Status: Cisco RoomOS Software; Cisco TelePresence Endpoint Software (TC/CE)
Vendor: CVE Published:; 20 January 2023

Summary

A vulnerability in Cisco TelePresence CE and RoomOS Software allows an authenticated, local attacker to bypass access controls and perform server-side request forgery (SSRF) attacks. This issue arises from inadequate validation of user-supplied input, enabling attackers to send carefully crafted requests via the web application. Successful exploitation permits the attacker to send arbitrary network requests originating from the affected device, potentially compromising network security.

Affected Version(s)

Cisco RoomOS Software RoomOS 10.3.2.0

Cisco RoomOS Software RoomOS 10.3.4.0

Cisco RoomOS Software RoomOS 10.8.2.5

References

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 20, 2023
Vulnerability Reserved
Oct 27, 2022