Cisco TelePresence CE and RoomOS Vulnerability Allows Arbitrary File Overwriting
CVE-2023-20091

5.1MEDIUM

Key Information:

Vendor
Cisco
Vendor
CVE Published:
15 November 2024

Summary

A security risk exists within the command-line interface (CLI) of Cisco TelePresence CE and RoomOS, where improper access controls allow an authenticated local attacker to overwrite files on the local file system. By placing a symbolic link in a designated location, the attacker can target arbitrary files, leading to potential manipulation or corruption of data. The exploitation of this vulnerability requires an attacker to possess a remote support user account. Cisco has addressed the issue through software updates, and there are currently no available workarounds.

Affected Version(s)

Cisco TelePresence Endpoint Software (TC/CE) CE9.10.2

Cisco TelePresence Endpoint Software (TC/CE) CE9.1.4

Cisco TelePresence Endpoint Software (TC/CE) CE9.9.3

References

CVSS V3.1

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.