CVE-2023-20218

Summary

A vulnerability in web-based management interface of Cisco SPA500 Series Analog Telephone Adapters (ATAs) could allow an authenticated, remote attacker to to modify a web page in the context of a user's browser. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to alter the contents of a web page to redirect the user to potentially malicious websites, or the attacker could use this vulnerability to conduct further client-side attacks. Cisco will not release software updates that address this vulnerability.
{{value}} ["%7b%7bvalue%7d%7d"])}]]

Affected Software

VendorProductVersion RangeStatus
CiscoCisco Small Business IP Phones7.6.0affected
CiscoCisco Small Business IP Phones7.6.2affected
CiscoCisco Small Business IP Phones7.6.2SR3affected
CiscoCisco Small Business IP Phones7.6.2SR6affected
CiscoCisco Small Business IP Phones7.6.2SR2affected
CiscoCisco Small Business IP Phones7.6.2SR4affected
CiscoCisco Small Business IP Phones7.6.2SR1affected
CiscoCisco Small Business IP Phones7.6.2SR5affected
CiscoCisco Small Business IP Phones7.6.2SR7affected
CiscoCisco Small Business IP Phones7.6.1affected
CiscoCisco Small Business IP Phones7.3.7affected
CiscoCisco Small Business IP Phones7.5.5affected
CiscoCisco Small Business IP Phones7.5.6(XU)affected
CiscoCisco Small Business IP Phones7.5.2affected
CiscoCisco Small Business IP Phones7.5.2aaffected
CiscoCisco Small Business IP Phones7.5.7affected
CiscoCisco Small Business IP Phones7.5.3affected
CiscoCisco Small Business IP Phones7.5.6affected
CiscoCisco Small Business IP Phones7.5.2baffected
CiscoCisco Small Business IP Phones7.5.6caffected
CiscoCisco Small Business IP Phones7.5.6aaffected
CiscoCisco Small Business IP Phones7.5.7saffected
CiscoCisco Small Business IP Phones7.5.1affected
CiscoCisco Small Business IP Phones7.5.5aaffected
CiscoCisco Small Business IP Phones7.5.5baffected
CiscoCisco Small Business IP Phones7.5.4affected
CiscoCisco Small Business IP Phones7.4.7affected
CiscoCisco Small Business IP Phones7.4.4affected
CiscoCisco Small Business IP Phones7.4.8affected
CiscoCisco Small Business IP Phones7.4.3affected
CiscoCisco Small Business IP Phones7.4.9affected
CiscoCisco Small Business IP Phones7.4.6affected

Weaknesses

  • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References