Details of VAR-202307-1790

ID

VAR-202307-1790

CVE

CVE-2023-20181

TITLE

Cisco Small Business SPA500 Series IP Phones Cross-Site Scripting Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2023-61392 // CNNVD: CNNVD-202307-1761

DESCRIPTION

A vulnerability in the web-based management interface of Cisco Small Business SPA500 Series IP Phones could allow an unauthenticated, remote attacker to conduct XSS attacks. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. For more information about these vulnerabilities, see the Details section of this advisory. There are no workarounds that address these vulnerabilities. This advisory is available at the following link:sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-spa-web-multi-7kvPmu2F

Trust: 1.53

sources: NVD: CVE-2023-20181 // CNVD: CNVD-2023-61392 // VULMON: CVE-2023-20181

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2023-61392

AFFECTED PRODUCTS

vendor:	cisco	model:	spa508g	scope:	eq	version:	-	Trust: 1.0
vendor:	cisco	model:	spa502g	scope:	eq	version:	-	Trust: 1.0
vendor:	cisco	model:	spa500ds	scope:	eq	version:	-	Trust: 1.0
vendor:	cisco	model:	spa525g2	scope:	eq	version:	-	Trust: 1.0
vendor:	cisco	model:	spa500s	scope:	eq	version:	-	Trust: 1.0
vendor:	cisco	model:	spa514g	scope:	eq	version:	-	Trust: 1.0
vendor:	cisco	model:	spa501g	scope:	eq	version:	-	Trust: 1.0
vendor:	cisco	model:	spa525g	scope:	eq	version:	-	Trust: 1.0
vendor:	cisco	model:	spa509g	scope:	eq	version:	-	Trust: 1.0
vendor:	cisco	model:	spa525	scope:	eq	version:	-	Trust: 1.0
vendor:	cisco	model:	spa504g	scope:	eq	version:	-	Trust: 1.0
vendor:	cisco	model:	spa512g	scope:	eq	version:	-	Trust: 1.0
vendor:	cisco	model:	small business spa500 series ip phones	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2023-61392 // NVD: CVE-2023-20181

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2023-20181
value:	MEDIUM
Trust: 1.0
ykramarz@cisco.com:	CVE-2023-20181
value:	MEDIUM
Trust: 1.0
CNVD:	CNVD-2023-61392
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202307-1761
value:	MEDIUM
Trust: 0.6

CNVD:	CNVD-2023-61392
severity:	MEDIUM
baseScore:	6.4
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2023-20181
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 2.0

sources: CNVD: CNVD-2023-61392 // CNNVD: CNNVD-202307-1761 // NVD: CVE-2023-20181 // NVD: CVE-2023-20181

PROBLEMTYPE DATA

problemtype:	CWE-80	Trust: 1.0
problemtype:	CWE-79	Trust: 1.0

sources: NVD: CVE-2023-20181

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202307-1761

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202307-1761

PATCH

title:	Patch for Cisco Small Business SPA500 Series IP Phones Cross-Site Scripting Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/449296	Trust: 0.6
title:	Cisco Small Business SPA500 Series IP Phones Fixes for cross-site scripting vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=246929	Trust: 0.6
title:	Cisco: Cisco Small Business SPA500 Series IP Phones Web UI Vulnerabilities	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-spa-web-multi-7kvPmu2F	Trust: 0.1

sources: CNVD: CNVD-2023-61392 // VULMON: CVE-2023-20181 // CNNVD: CNNVD-202307-1761

EXTERNAL IDS

db:	NVD	id:	CVE-2023-20181	Trust: 2.3
db:	CNVD	id:	CNVD-2023-61392	Trust: 0.6
db:	AUSCERT	id:	ESB-2023.4103	Trust: 0.6
db:	CNNVD	id:	CNNVD-202307-1761	Trust: 0.6
db:	VULMON	id:	CVE-2023-20181	Trust: 0.1

sources: CNVD: CNVD-2023-61392 // VULMON: CVE-2023-20181 // CNNVD: CNNVD-202307-1761 // NVD: CVE-2023-20181

REFERENCES

url:	https://sec.cloudapps.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-spa-web-multi-7kvpmu2f	Trust: 1.7
url:	https://www.auscert.org.au/bulletins/esb-2023.4103	Trust: 0.6

sources: CNVD: CNVD-2023-61392 // VULMON: CVE-2023-20181 // CNNVD: CNNVD-202307-1761 // NVD: CVE-2023-20181

SOURCES

db:	CNVD	id:	CNVD-2023-61392
db:	VULMON	id:	CVE-2023-20181
db:	CNNVD	id:	CNNVD-202307-1761
db:	NVD	id:	CVE-2023-20181

LAST UPDATE DATE

2024-08-14T15:15:54.949000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2023-61392	date:	2023-08-07T00:00:00
db:	CNNVD	id:	CNNVD-202307-1761	date:	2023-07-24T00:00:00
db:	NVD	id:	CVE-2023-20181	date:	2024-01-25T17:15:32.997

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2023-61392	date:	2023-08-07T00:00:00
db:	CNNVD	id:	CNNVD-202307-1761	date:	2023-07-20T00:00:00
db:	NVD	id:	CVE-2023-20181	date:	2023-08-03T22:15:10.737