Cross-Site Scripting Vulnerability in Cisco Small Business SPA500 Series IP Phones
CVE-2023-20181

6.1MEDIUM

Key Information:

Vendor: Cisco
Status: Cisco Small Business IP Phones
Vendor: CVE Published:; 3 August 2023

What is CVE-2023-20181?

A vulnerability exists in the web-based management interface of Cisco Small Business SPA500 Series IP Phones, allowing remote attackers to exploit it through Cross-Site Scripting (XSS) techniques. This issue arises from inadequate validation of user input, potentially enabling an attacker to execute arbitrary script code in the context of the interface or to gain access to sensitive browser information. An attacker can exploit this vulnerability by enticing a user to click on a specially crafted link, leading to unauthorized actions within the affected software.

Affected Version(s)

Cisco Small Business IP Phones 7.6.0

Cisco Small Business IP Phones 7.6.2

Cisco Small Business IP Phones 7.6.2SR3

References

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 3, 2023
Vulnerability Reserved
Oct 27, 2022