Stored Cross-Site Scripting Vulnerability in Cisco IP Phones Management Interface
CVE-2023-20265

5.5MEDIUM

Key Information:

Vendor
Cisco
Status
Cisco Ip Phones With Multiplatform Firmware
Cisco Session Initiation Protocol (sip) Software
Vendor
CVE Published:
21 November 2023

Badges

👾 Exploit Exists

Summary

A vulnerability exists in the web-based management interface of specific Cisco IP Phones that may allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack. This issue stems from inadequate validation of user-supplied input, enabling an attacker to manipulate content in such a way that malicious HTML or script code gets executed when a user interacts with the affected interface. Successful exploitation could have significant repercussions, possibly leading to unauthorized access to sensitive browser-based information. To execute this attack, the assailant must possess valid access credentials for the management interface.

Affected Version(s)

Cisco IP Phones with Multiplatform Firmware 4.5

Cisco IP Phones with Multiplatform Firmware 4.6 MSR1

Cisco IP Phones with Multiplatform Firmware 4.7.1

References

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.