Attacker Could Redirect Users to Malicious Web Page via Cisco Expressway Series Vulnerability
CVE-2024-20400

4.7MEDIUM

Key Information:

Vendor: Cisco
Status: Cisco Telepresence Video Communication Server (vcs) Expressway
Vendor: CVE Published:; 17 July 2024

Summary

A vulnerability exists in the web-based management interface of Cisco Expressway Series that permits an unauthenticated remote attacker to reroute a user to a malicious web page. The flaw arises from ineffective validation of HTTP request parameters, enabling an attacker to intercept and alter requests from users. Exploitation of this vulnerability could lead to unintended user redirection, potentially compromising user data and security. The affected components include Cisco Expressway Control (Expressway-C) and Cisco Expressway Edge (Expressway-E) devices, highlighting the need for immediate action to secure these platforms.

Affected Version(s)

Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.1

Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.3

Cisco TelePresence Video Communication Server (VCS) Expressway X8.5

References

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:

4.7

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jul 17, 2024
Vulnerability Reserved
Nov 8, 2023