CVE-2023-20265
5.4
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Exploitability: 2.3 / Impact: 2.7
Source: NVD
Description
A vulnerability in the web-based management interface of a small subset of Cisco IP Phones could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by persuading a user of an affected interface to view a page containing malicious HTML or script content. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid credentials to access the web-based management interface of the affected device.
Affected (4)
Configuration A
| Vulnerable Software | Affected Versions |
|---|---|
| Before 5.1.2sr1 |
| Running on/with | Platform Versions |
|---|---|
Cisco Ip Dect 110 | All versions |
Configuration B
| Vulnerable Software | Affected Versions |
|---|---|
| Before 5.1.2sr1 |
| Running on/with | Platform Versions |
|---|---|
Cisco Ip Dect 210 | All versions |
Configuration C
| Vulnerable Software | Affected Versions |
|---|---|
| From 9.0 to 9.3\(1\)sr3 |
| Running on/with | Platform Versions |
|---|---|
Cisco Unified Ip Phone 6901 | All versions |
Configuration D
| Vulnerable Software | Affected Versions |
|---|---|
| From 9.0 to 9.4\(1\)sr4 |
| Running on/with | Platform Versions |
|---|---|
Cisco Unified Sip Phone 3905 | All versions |
References (2)
Source: psirt@cisco.com
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Timeline
No history available yet.