← Back

CVE-2018-15434

nvd nist
Published: Oct 5, 2018Modified: Nov 21, 2024

JSON object

Loading...
6.1
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Exploitability: 2.8 / Impact: 2.7
Source: NVD

Description

A vulnerability in the web-based management interface of Cisco Unified IP Phone 7900 Series could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit this vulnerability by persuading a user of the interface to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

Affected (1)

Cisco
1 product
Skinny Client Control Protocol Software
Configuration A
1 vulnerable · 22 platform
Vulnerable SoftwareAffected Versions
Skinny Client Control Protocol Software
Version 9.4(2)
Running on/withPlatform Versions
Cisco
Unified Ip Phones 7906g
All versions
Cisco
Unified Ip Phones 7911g
All versions
Cisco
Unified Ip Phones 7912g
All versions
Cisco
Unified Ip Phones 7920 Multi Charger
All versions
Cisco
Unified Ip Phones 7921g
All versions
Cisco
Unified Ip Phones 7925g
All versions
Cisco
Unified Ip Phones 7925g Ex
All versions
Cisco
Unified Ip Phones 7926g
All versions
Cisco
Unified Ip Phones 7931g
All versions
Cisco
Unified Ip Phones 7940g
All versions
Cisco
Unified Ip Phones 7941g
All versions
Cisco
Unified Ip Phones 7942g
All versions
Cisco
Unified Ip Phones 7945g
All versions
Cisco
Unified Ip Phones 7960g
All versions
Cisco
Unified Ip Phones 7961g
All versions
Cisco
Unified Ip Phones 7962g
All versions
Cisco
Unified Ip Phones 7965g
All versions
Cisco
Unified Ip Phones 7975g
All versions
Cisco
Unified Ip Phones Conference Station 7936
All versions
Cisco
Unified Ip Phones Conference Station 7937g
All versions
Cisco
Unified Ip Phones Expansion Module 7915
All versions
Cisco
Unified Ip Phones Expansion Module 7916
All versions

Related CWEs

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

Source: psirt@cisco.com
Third Party AdvisoryVDB Entry
Source: psirt@cisco.com
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party AdvisoryVDB Entry
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory

Timeline

No history available yet.