Details of VAR-201407-0377

ID

VAR-201407-0377

CVE

CVE-2014-3313

TITLE

Cisco Small Business SPA300 and SPA500 Series IP phone of Web Cross-site scripting vulnerability in user interface

Trust: 0.8

sources: JVNDB: JVNDB-2014-003295

DESCRIPTION

Cross-site scripting (XSS) vulnerability in the web user interface on Cisco Small Business SPA300 and SPA500 phones allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCuo52582. The Cisco Small Businsess SPA300 and SPA500 Series IP Phones WEB interfaces fail to adequately filter user input, and remote attackers exploit vulnerabilities to build malicious URIs, entice users to resolve, obtain sensitive cookies, hijack sessions, or perform malicious operations on the client. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCuo52582

Trust: 2.52

sources: NVD: CVE-2014-3313 // JVNDB: JVNDB-2014-003295 // CNVD: CNVD-2014-04222 // BID: 68464 // VULHUB: VHN-71253

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2014-04222

AFFECTED PRODUCTS

vendor:	cisco	model:	spa942 4-line ip phone with 2-port switch	scope:	eq	version:	*	Trust: 1.0
vendor:	cisco	model:	spa901 1-line ip phone	scope:	eq	version:	*	Trust: 1.0
vendor:	cisco	model:	spa922 1-line ip phone with 1-port ethernet	scope:	eq	version:	*	Trust: 1.0
vendor:	cisco	model:	spa 525g 5-line ip phone	scope:	eq	version:	*	Trust: 1.0
vendor:	cisco	model:	spa962 6-line ip phone with 2-port switch	scope:	eq	version:	*	Trust: 1.0
vendor:	cisco	model:	spa 303 3 line ip phone	scope:	eq	version:	*	Trust: 1.0
vendor:	cisco	model:	spa 508g 8-line ip phone	scope:	eq	version:	*	Trust: 1.0
vendor:	cisco	model:	spa 514g 4-line ip phone	scope:	eq	version:	*	Trust: 1.0
vendor:	cisco	model:	spa 512g 1-line ip phone	scope:	eq	version:	*	Trust: 1.0
vendor:	cisco	model:	spa941 4-line ip phone with 1-port ethernet	scope:	eq	version:	*	Trust: 1.0
vendor:	cisco	model:	spa 301 1 line ip phone	scope:	eq	version:	*	Trust: 1.0
vendor:	cisco	model:	spa 525g2 5-line ip phone	scope:	eq	version:	*	Trust: 1.0
vendor:	cisco	model:	spa 501g 8-line ip phone	scope:	eq	version:	*	Trust: 1.0
vendor:	cisco	model:	spa 504g 4-line ip phone	scope:	eq	version:	*	Trust: 1.0
vendor:	cisco	model:	spa 502g 1-line ip phone	scope:	eq	version:	*	Trust: 1.0
vendor:	cisco	model:	spa 509g 12-line ip phone	scope:	eq	version:	*	Trust: 1.0
vendor:	cisco	model:	spa 301 1-line ip phone	scope:	lte	version:	firmware 7.5(.5)	Trust: 0.8
vendor:	cisco	model:	spa 303 3-line ip phone	scope:	lte	version:	firmware 7.5(.5)	Trust: 0.8
vendor:	cisco	model:	spa 501g 8-line ip phone	scope:	lte	version:	firmware 7.5(.4)	Trust: 0.8
vendor:	cisco	model:	spa 502g 1-line ip phone	scope:	lte	version:	firmware 7.5(.4)	Trust: 0.8
vendor:	cisco	model:	spa 504g 4-line ip phone	scope:	lte	version:	firmware 7.5(.4)	Trust: 0.8
vendor:	cisco	model:	spa 508g 8-line ip phone	scope:	lte	version:	firmware 7.5(.4)	Trust: 0.8
vendor:	cisco	model:	spa 509g 12-line ip phone	scope:	lte	version:	firmware 7.5(.4)	Trust: 0.8
vendor:	cisco	model:	spa 512g 1-line ip phone	scope:	lte	version:	firmware 7.5(.4)	Trust: 0.8
vendor:	cisco	model:	spa 514g 4-line ip phone	scope:	lte	version:	firmware 7.5(.4)	Trust: 0.8
vendor:	cisco	model:	spa 525g 5-line ip phone	scope:	lte	version:	firmware 7.5(.4)	Trust: 0.8
vendor:	cisco	model:	spa 525g2 5-line ip phone	scope:	lte	version:	firmware 7.5(.4)	Trust: 0.8
vendor:	cisco	model:	small business spa series ip phones	scope:	eq	version:	500	Trust: 0.6
vendor:	cisco	model:	small business spa series ip phones	scope:	eq	version:	300	Trust: 0.6
vendor:	cisco	model:	spa 512g 1-line ip phone	scope:	-	version:	-	Trust: 0.6
vendor:	cisco	model:	spa 509g 12-line ip phone	scope:	-	version:	-	Trust: 0.6
vendor:	cisco	model:	spa 504g 4-line ip phone	scope:	-	version:	-	Trust: 0.6
vendor:	cisco	model:	spa 303 3 line ip phone	scope:	-	version:	-	Trust: 0.6
vendor:	cisco	model:	spa 501g 8-line ip phone	scope:	-	version:	-	Trust: 0.6
vendor:	cisco	model:	spa 508g 8-line ip phone	scope:	-	version:	-	Trust: 0.6
vendor:	cisco	model:	spa 301 1 line ip phone	scope:	-	version:	-	Trust: 0.6
vendor:	cisco	model:	spa 502g 1-line ip phone	scope:	-	version:	-	Trust: 0.6
vendor:	cisco	model:	spa962 6-line ip phone with 2-port switch	scope:	-	version:	-	Trust: 0.6
vendor:	cisco	model:	spa942 4-line ip phone with 2-port switch	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2014-04222 // JVNDB: JVNDB-2014-003295 // CNNVD: CNNVD-201407-233 // NVD: CVE-2014-3313

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-3313
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2014-3313
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2014-04222
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201407-233
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-71253
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2014-3313
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2014-04222
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-71253
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CNVD: CNVD-2014-04222 // VULHUB: VHN-71253 // JVNDB: JVNDB-2014-003295 // CNNVD: CNNVD-201407-233 // NVD: CVE-2014-3313

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-71253 // JVNDB: JVNDB-2014-003295 // NVD: CVE-2014-3313

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201407-233

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201407-233

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-003295

PATCH

title:	Cisco Small Business SPA300 and SPA500 Series IP Phones Cross-Site Scripting Vulnerability	url:	http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3313	Trust: 0.8
title:	34885	url:	http://tools.cisco.com/security/center/viewAlert.x?alertId=34885	Trust: 0.8
title:	Cisco Series IP Phones have patches for unidentified cross-site scripting vulnerabilities	url:	https://www.cnvd.org.cn/patchInfo/show/47371	Trust: 0.6

sources: CNVD: CNVD-2014-04222 // JVNDB: JVNDB-2014-003295

EXTERNAL IDS

db:	NVD	id:	CVE-2014-3313	Trust: 3.4
db:	BID	id:	68464	Trust: 2.0
db:	SECTRACK	id:	1030553	Trust: 1.1
db:	SECUNIA	id:	59808	Trust: 1.1
db:	JVNDB	id:	JVNDB-2014-003295	Trust: 0.8
db:	CNNVD	id:	CNNVD-201407-233	Trust: 0.7
db:	CNVD	id:	CNVD-2014-04222	Trust: 0.6
db:	VULHUB	id:	VHN-71253	Trust: 0.1

sources: CNVD: CNVD-2014-04222 // VULHUB: VHN-71253 // BID: 68464 // JVNDB: JVNDB-2014-003295 // CNNVD: CNNVD-201407-233 // NVD: CVE-2014-3313

REFERENCES

url:	http://tools.cisco.com/security/center/content/ciscosecuritynotice/cve-2014-3313	Trust: 2.3
url:	http://www.securityfocus.com/bid/68464	Trust: 1.1
url:	http://tools.cisco.com/security/center/viewalert.x?alertid=34885	Trust: 1.1
url:	http://www.securitytracker.com/id/1030553	Trust: 1.1
url:	http://secunia.com/advisories/59808	Trust: 1.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/94422	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3313	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-3313	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3

sources: CNVD: CNVD-2014-04222 // VULHUB: VHN-71253 // BID: 68464 // JVNDB: JVNDB-2014-003295 // CNNVD: CNNVD-201407-233 // NVD: CVE-2014-3313

CREDITS

Cisco

Trust: 0.3

sources: BID: 68464

SOURCES

db:	CNVD	id:	CNVD-2014-04222
db:	VULHUB	id:	VHN-71253
db:	BID	id:	68464
db:	JVNDB	id:	JVNDB-2014-003295
db:	CNNVD	id:	CNNVD-201407-233
db:	NVD	id:	CVE-2014-3313

LAST UPDATE DATE

2024-11-23T22:56:33.315000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2014-04222	date:	2014-07-11T00:00:00
db:	VULHUB	id:	VHN-71253	date:	2017-08-29T00:00:00
db:	BID	id:	68464	date:	2014-07-08T00:00:00
db:	JVNDB	id:	JVNDB-2014-003295	date:	2014-07-10T00:00:00
db:	CNNVD	id:	CNNVD-201407-233	date:	2014-07-10T00:00:00
db:	NVD	id:	CVE-2014-3313	date:	2024-11-21T02:07:50.797

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2014-04222	date:	2014-07-11T00:00:00
db:	VULHUB	id:	VHN-71253	date:	2014-07-09T00:00:00
db:	BID	id:	68464	date:	2014-07-08T00:00:00
db:	JVNDB	id:	JVNDB-2014-003295	date:	2014-07-10T00:00:00
db:	CNNVD	id:	CNNVD-201407-233	date:	2014-07-10T00:00:00
db:	NVD	id:	CVE-2014-3313	date:	2014-07-09T11:07:01.540