Unauthenticated Remote Attacker Could Initiate Calls on Affected Devices via XML Service Vulnerability
CVE-2024-20357

5.9MEDIUM

Key Information:

Vendor: Cisco
Status: Cisco Ip Phones With Multiplatform Firmware; Cisco Phoneos
Vendor: CVE Published:; 1 May 2024

What is CVE-2024-20357?

A vulnerability in the XML service of Cisco IP Phone firmware could allow an unauthenticated, remote attacker to initiate phone calls on an affected device.

This vulnerability exists because bounds-checking does not occur while parsing XML requests. An attacker could exploit this vulnerability by sending a crafted XML request to an affected device. A successful exploit could allow the attacker to initiate calls or play sounds on the device.

Affected Version(s)

Cisco IP Phones with Multiplatform Firmware 11.3.1 MSR2-6

Cisco IP Phones with Multiplatform Firmware 11.3.1 MSR3-3

Cisco IP Phones with Multiplatform Firmware 11.3.2

References

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 1, 2024
Vulnerability Reserved
Nov 8, 2023