Unauthenticated Remote Attacker Could Initiate Calls on Affected Devices via XML Service Vulnerability

CVE-2024-20357

5.9MEDIUM

Key Information

Vendor: Cisco
Status: Cisco Ip Phones With Multiplatform Firmware; Cisco Phoneos
Vendor: CVE Published:; 1 May 2024

Badges

👾 Exploit Exists

Summary

A vulnerability in the XML service of Cisco IP Phone firmware could allow an unauthenticated, remote attacker to initiate phone calls on an affected device. This vulnerability exists because bounds-checking does not occur while parsing XML requests. An attacker could exploit this vulnerability by sending a crafted XML request to an affected device. A successful exploit could allow the attacker to initiate calls or play sounds on the device.

Affected Version(s)

Cisco IP Phones with Multiplatform Firmware = 11.3.1 MSR2-6

Cisco IP Phones with Multiplatform Firmware = 11.3.1 MSR3-3

Cisco IP Phones with Multiplatform Firmware = 11.3.2

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
May 1, 2024
Vulnerability Reserved.
Nov 8, 2023
👾
Exploit exists.
Jan 1, 1970

Collectors

NVD DatabaseMitre Database