Details of VAR-202411-1174

ID

VAR-202411-1174

CVE

CVE-2024-20534

TITLE

Cisco IP Phone Cross-Site Scripting Vulnerability (CNVD-2024-45292)

Trust: 0.6

sources: CNVD: CNVD-2024-45292

DESCRIPTION

A vulnerability in the web UI of Cisco Desk Phone 9800 Series, Cisco IP Phone 6800, 7800, and 8800 Series, and Cisco Video Phone 8875 with Cisco Multiplatform Firmware could allow an authenticated, remote attacker to conduct stored cross-site scripting (XSS) attacks against users. This vulnerability exists because the web UI of an affected device does not properly validate user-supplied input. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. Note: To exploit this vulnerability, Web Access must be enabled on the phone and the attacker must have Admin credentials on the device. Web Access is disabled by default. Cisco IP Phone is a hardware device of Cisco. It is an IP phone that provides calling functions

Trust: 1.44

sources: NVD: CVE-2024-20534 // CNVD: CNVD-2024-45292

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2024-45292

AFFECTED PRODUCTS

vendor:

cisco

model:

ip phones

scope:

version:

Trust: 0.6

sources: CNVD: CNVD-2024-45292

CVSS

SEVERITY

CVSSV2

CVSSV3

ykramarz@cisco.com:	CVE-2024-20534
value:	MEDIUM
Trust: 1.0
CNVD:	CNVD-2024-45292
value:	MEDIUM
Trust: 0.6

CNVD:	CNVD-2024-45292
severity:	MEDIUM
baseScore:	4.7
vectorString:	AV:N/AC:L/AU:M/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	MULTIPLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.4
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

ykramarz@cisco.com:	CVE-2024-20534
baseSeverity:	MEDIUM
baseScore:	4.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	1.7
impactScore:	2.7
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2024-45292 // NVD: CVE-2024-20534

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.0

sources: NVD: CVE-2024-20534

PATCH

title:

Patch for Cisco IP Phone Cross-Site Scripting Vulnerability (CNVD-2024-45292)

url:

https://www.cnvd.org.cn/patchInfo/show/618061

Trust: 0.6

sources: CNVD: CNVD-2024-45292

EXTERNAL IDS

db:	NVD	id:	CVE-2024-20534	Trust: 1.6
db:	CNVD	id:	CNVD-2024-45292	Trust: 0.6

sources: CNVD: CNVD-2024-45292 // NVD: CVE-2024-20534

REFERENCES

url:	https://sec.cloudapps.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-mpp-xss-8tav2tvf	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2024-20534	Trust: 0.6

sources: CNVD: CNVD-2024-45292 // NVD: CVE-2024-20534

SOURCES

db:	CNVD	id:	CNVD-2024-45292
db:	NVD	id:	CVE-2024-20534

LAST UPDATE DATE

2024-11-21T23:21:36.779000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2024-45292	date:	2024-11-19T00:00:00
db:	NVD	id:	CVE-2024-20534	date:	2024-11-06T18:17:17.287

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2024-45292	date:	2024-11-13T00:00:00
db:	NVD	id:	CVE-2024-20534	date:	2024-11-06T17:15:18.927