Cisco Expressway and TelePresence Vulnerable to CSRF Attacks
CVE-2024-20255

7.1HIGH

Key Information:

Vendor: Cisco
Status: Cisco TelePresence Video Communication Server (VCS) Expressway
Vendor: CVE Published:; 7 February 2024

Summary

A vulnerability exists within the SOAP API of Cisco Expressway Series and Cisco TelePresence Video Communication Server, allowing unauthenticated remote attackers to potentially execute cross-site request forgery (CSRF) attacks. This vulnerability is primarily due to inadequate CSRF protections implemented in the web-based management interface of the affected systems. Exploit of this vulnerability can occur when an attacker entices a user of the REST API to follow a specially crafted link, potentially causing the affected system to reload without user consent or awareness. Remedial measures are recommended to secure affected installations against this specific attack vector.

Affected Version(s)

Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.1

Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.3

Cisco TelePresence Video Communication Server (VCS) Expressway X8.5

References

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Feb 7, 2024
Vulnerability Reserved
Nov 8, 2023