CVE-2024-20533

Summary

A vulnerability in the web UI of Cisco Desk Phone 9800 Series, Cisco IP Phone 6800, 7800, and 8800 Series, and Cisco Video Phone 8875 with Cisco Multiplatform Firmware could allow an authenticated, remote attacker to conduct stored cross-site scripting (XSS) attacks against users.

This vulnerability exists because the web UI of an affected device does not properly validate user-supplied input. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. Note: To exploit this vulnerability, Web Access must be enabled on the phone and the attacker must have Admin credentials on the device. Web Access is disabled by default.

Affected Software

VendorProductVersion RangeStatus
CiscoCisco IP Phones with Multiplatform Firmware11.1.2affected
CiscoCisco IP Phones with Multiplatform Firmware11.2.1affected
CiscoCisco IP Phones with Multiplatform Firmware11.2.3affected
CiscoCisco IP Phones with Multiplatform Firmware11.2.2affected
CiscoCisco IP Phones with Multiplatform Firmware11.2.3 MSR1-1affected
CiscoCisco IP Phones with Multiplatform Firmware11.1.2 MSR1-1affected
CiscoCisco IP Phones with Multiplatform Firmware11.1.1affected
CiscoCisco IP Phones with Multiplatform Firmware11.1.2 MSR3-1affected
CiscoCisco IP Phones with Multiplatform Firmware11.0.0affected
CiscoCisco IP Phones with Multiplatform Firmware11.1.1 MSR1-1affected
CiscoCisco IP Phones with Multiplatform Firmware11.0.1affected
CiscoCisco IP Phones with Multiplatform Firmware11.1.1 MSR2-1affected
CiscoCisco IP Phones with Multiplatform Firmware11.2.4affected
CiscoCisco IP Phones with Multiplatform Firmware11.0.1 MSR1-1affected
CiscoCisco IP Phones with Multiplatform Firmware11.0.2affected
CiscoCisco IP Phones with Multiplatform Firmware11.3.1affected
CiscoCisco IP Phones with Multiplatform Firmware11.3.1 MSR1-3affected
CiscoCisco IP Phones with Multiplatform Firmware11.3.2affected
CiscoCisco IP Phones with Multiplatform Firmware11.3.1 MSR2-6affected
CiscoCisco IP Phones with Multiplatform Firmware11-3-1MSR2UPGaffected
CiscoCisco IP Phones with Multiplatform Firmware11.3.1 MSR3-3affected
CiscoCisco IP Phones with Multiplatform Firmware11.3.3affected
CiscoCisco IP Phones with Multiplatform Firmware11.3.1 MSR4-1affected
CiscoCisco IP Phones with Multiplatform Firmware11.3.4affected
CiscoCisco IP Phones with Multiplatform Firmware11.3.5affected
CiscoCisco IP Phones with Multiplatform Firmware11.3.3 MSR1affected
CiscoCisco IP Phones with Multiplatform Firmware11.3.3 MSR2affected
CiscoCisco IP Phones with Multiplatform Firmware11.3.6affected
CiscoCisco IP Phones with Multiplatform Firmware11-3-1MPPSR4UPGaffected
CiscoCisco IP Phones with Multiplatform Firmware11.3.6SR1affected
CiscoCisco IP Phones with Multiplatform Firmware11.3.7affected
CiscoCisco IP Phones with Multiplatform Firmware11.3.7SR1affected
CiscoCisco IP Phones with Multiplatform Firmware12.0.1affected
CiscoCisco IP Phones with Multiplatform Firmware12.0.2affected
CiscoCisco IP Phones with Multiplatform Firmware11.3.7SR2affected
CiscoCisco IP Phones with Multiplatform Firmware12.0.3affected
CiscoCisco IP Phones with Multiplatform Firmware12.0.3SR1affected
CiscoCisco IP Phones with Multiplatform Firmware12.0.4affected
CiscoCisco IP Phones with Multiplatform Firmware12.0.4SR1affected
CiscoCisco IP Phones with Multiplatform Firmware12.0.5affected
CiscoCisco IP Phones with Multiplatform Firmware12.0.5SR1affected
CiscoCisco IP Phones with Multiplatform Firmware12.0.3SR2affected
CiscoCisco Session Initiation Protocol (SIP) Software3.1(1)affected
CiscoCisco Session Initiation Protocol (SIP) Software3.0(1)affected
CiscoCisco Session Initiation Protocol (SIP) Software3.1(1)SR1affected

Weaknesses

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References