CVE-2024-20534

Published: Nov 6, 2024Modified: Jan 5, 2026

4.8

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Exploitability: 1.7 / Impact: 2.7

Source: psirt@cisco.com (Secondary)

Description

A vulnerability in the web UI of Cisco Desk Phone 9800 Series, Cisco IP Phone 6800, 7800, and 8800 Series, and Cisco Video Phone 8875 with Cisco Multiplatform Firmware could allow an authenticated, remote attacker to conduct stored cross-site scripting (XSS) attacks against users. This vulnerability exists because the web UI of an affected device does not properly validate user-supplied input. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. Note: To exploit this vulnerability, Web Access must be enabled on the phone and the attacker must have Admin credentials on the device. Web Access is disabled by default.

Affected (29)

Cisco

23 products

Desk Phone 9841 With Multiplatform Firmware

Desk Phone 9851 With Multiplatform Firmware

Desk Phone 9861 With Multiplatform Firmware

Desk Phone 9871 With Multiplatform Firmware

Ip Phone 6821 With Multiplatform Firmware

Ip Phone 6841 With Multiplatform Firmware

Ip Phone 6851 With Multiplatform Firmware

Ip Phone 6861 With Multiplatform Firmware

Ip Phone 6871 With Multiplatform Firmware

Ip Phone 7811 With Multiplatform Firmware

Ip Phone 7821 With Multiplatform Firmware

Ip Phone 7832 With Multiplatform Firmware

Ip Phone 7841 With Multiplatform Firmware

Ip Phone 7861 With Multiplatform Firmware

Ip Phone 8811 With Multiplatform Firmware

Ip Phone 8832 With Multiplatform Firmware

Ip Phone 8841 With Multiplatform Firmware

Ip Phone 8845 With Multiplatform Firmware

Ip Phone 8851 With Multiplatform Firmware

Ip Phone 8861 With Multiplatform Firmware

Ip Phone 8865 With Multiplatform Firmware

Video Phone 8875 With Multiplatform Firmware

Ip Phone 8831 With Multiplatform Firmware

Configuration A

2 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Desk Phone 9841 With Multiplatform Firmware	Version 3.1(1)
Cisco Desk Phone 9841 With Multiplatform Firmware	Version 3.1(1) sr1

Running on/with	Platform Versions
Cisco Desk Phone 9841	All versions

Configuration B

2 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Desk Phone 9851 With Multiplatform Firmware	Version 3.1(1)
Cisco Desk Phone 9851 With Multiplatform Firmware	Version 3.1(1) sr1

Running on/with	Platform Versions
Cisco Desk Phone 9851	All versions

Configuration C

2 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Desk Phone 9861 With Multiplatform Firmware	Version 3.1(1)
Cisco Desk Phone 9861 With Multiplatform Firmware	Version 3.1(1) sr1

Running on/with	Platform Versions
Cisco Desk Phone 9861	All versions

Configuration D

2 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Desk Phone 9871 With Multiplatform Firmware	Version 3.1(1)
Cisco Desk Phone 9871 With Multiplatform Firmware	Version 3.1(1) sr1

Running on/with	Platform Versions
Cisco Desk Phone 9871	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Ip Phone 6821 With Multiplatform Firmware	Version 12.0(5) sr1

Running on/with	Platform Versions
Cisco Ip Phone 6821	All versions

Configuration F

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Ip Phone 6841 With Multiplatform Firmware	Version 12.0(5) sr1

Running on/with	Platform Versions
Cisco Ip Phone 6841	All versions

Configuration G

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Ip Phone 6851 With Multiplatform Firmware	Version 12.0(5) sr1

Running on/with	Platform Versions
Cisco Ip Phone 6851	All versions

Configuration H

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Ip Phone 6861 With Multiplatform Firmware	Version 12.0(5) sr1

Running on/with	Platform Versions
Cisco Ip Phone 6861	All versions

Configuration I

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Ip Phone 6871 With Multiplatform Firmware	Version 12.0(5) sr1

Running on/with	Platform Versions
Cisco Ip Phone 6871	All versions

Configuration J

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Ip Phone 7811 With Multiplatform Firmware	Version 12.0(5) sr1

Running on/with	Platform Versions
Cisco Ip Phone 7811	All versions

Configuration K

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Ip Phone 7821 With Multiplatform Firmware	Version 12.0(5) sr1

Running on/with	Platform Versions
Cisco Ip Phone 7821	All versions

Configuration L

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Ip Phone 7832 With Multiplatform Firmware	Version 12.0(5) sr1

Running on/with	Platform Versions
Cisco Ip Phone 7832	All versions

Configuration M

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Ip Phone 7841 With Multiplatform Firmware	Version 12.0(5) sr1

Running on/with	Platform Versions
Cisco Ip Phone 7841	All versions

Configuration N

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Ip Phone 7861 With Multiplatform Firmware	Version 12.0(5) sr1

Running on/with	Platform Versions
Cisco Ip Phone 7861	All versions

Configuration O

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Ip Phone 8811 With Multiplatform Firmware	Version 12.0(5) sr1

Running on/with	Platform Versions
Cisco Ip Phone 8811	All versions

Configuration P

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Ip Phone 8832 With Multiplatform Firmware	Version 12.0(5) sr1

Running on/with	Platform Versions
Cisco Ip Phone 8832	All versions

Configuration Q

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Ip Phone 8841 With Multiplatform Firmware	Version 12.0(5) sr1

Running on/with	Platform Versions
Cisco Ip Phone 8841	All versions

Configuration R

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Ip Phone 8845 With Multiplatform Firmware	Version 12.0(5) sr1

Running on/with	Platform Versions
Cisco Ip Phone 8845	All versions

Configuration S

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Ip Phone 8851 With Multiplatform Firmware	Version 12.0(5) sr1

Running on/with	Platform Versions
Cisco Ip Phone 8851	All versions

Configuration T

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Ip Phone 8861 With Multiplatform Firmware	Version 12.0(5) sr1

Running on/with	Platform Versions
Cisco Ip Phone 8861	All versions

Configuration U

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Ip Phone 8865 With Multiplatform Firmware	Version 12.0(5) sr1

Running on/with	Platform Versions
Cisco Ip Phone 8865	All versions

Configuration V

3 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Video Phone 8875 With Multiplatform Firmware	Before 2.3\(1\)
Cisco Video Phone 8875 With Multiplatform Firmware	Version 2.3(1)
Cisco Video Phone 8875 With Multiplatform Firmware	Version 2.3(1) sr1

Running on/with	Platform Versions
Cisco Video Phone 8875	All versions

Configuration W

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Ip Phone 8831 With Multiplatform Firmware	All versions

Running on/with	Platform Versions
Cisco Ip Phone 8831	All versions

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (1)

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-mpp-xss-8tAV2TvF

Source: psirt@cisco.com

Vendor Advisory

Timeline

No history available yet.