Cisco security advisories. Cisco has published 5 new security advisories covering 7 vulnerabilities, which are classified as 5 of medium severity and 2 of critical severity, affecting products such as:
- Cisco Webex for Web (cloud-based)
- Cisco Finesse
- Cisco Unified Intelligence Center
- Among others
Average severity
CVE-2023-20104 [CVSS: 6.1] [CVSS: 6.1].
Cross-Site Scripting vulnerability between websites for Cisco Webex application.
The failure is due to an insufficient validation of the input provided by the
user. An attacker could exploit this vulnerability by sending an arbitrary file to a user and convincing them to browse to a specific URL. Successful exploitation could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information.
- Note: Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
CVE-2023-20088 [CVSS: 5.3] [CVSS: 5.3].
Denial of Service Vulnerability in Cisco Finesse Reverse Proxy Access without VPN to Finesse Desktop
This vulnerability is due to improper filtering of IP addresses by the reverse proxy. An attacker could exploit this vulnerability by sending a series of unauthenticated requests to the reverse proxy. Successful exploitation could allow the attacker to cause all current traffic and subsequent requests to the reverse proxy via a load balancer to be dropped, resulting in a
DoS condition.
- Note: Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
Cisco Unified Intelligence Center Vulnerabilities
CVE-2023-20061, [CVSS: 6.5], [CVSS: 6.5].
This vulnerability is due to excessive detail in a specific REST API output. An attacker could exploit this vulnerability by sending a manipulated HTTP request to an affected device. Successful exploitation could allow the attacker to obtain sensitive data, including encrypted credentials for services associated with the affected device.
CVE-2023-20062 [CVSS: 5.0] [CVSS: 5.0].
This vulnerability is due to incorrect input validation for specific HTTP requests. An attacker could exploit this vulnerability by sending a manipulated HTTP request to an affected system. Successful exploitation could allow the attacker to send arbitrary network requests from the affected system.
- Note: Cisco has released software updates that address this issue.
vulnerability. There are no alternative solutions that address this vulnerability.
CVE-2023-20069 [CVSS: 5.4] [CVSS: 5.4].
Cross-Site Scripting vulnerability between websites stored in Cisco Prime Infrastructure and Evolved Programmable Network Manager.
This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by persuading a user of an affected interface to click on a manipulated link. Successful exploitation could allow the attacker to execute arbitrary scripting code in the context of the affected interface or access sensitive browser-based information. To exploit this vulnerability, the attacker would need to have valid credentials to access the affected device's web-based administration interface.
Critical severity
Vulnerabilities in the web user interface of the IP phones of the series.
6800, 7800, 7900 and 8800 from Cisco
CVE-2023-20078 [CVSS: 9.8].
This vulnerability is due to a missing check of the buffer size that This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a tampered request to the web-based administration interface. Successful exploitation could allow the attacker to execute arbitrary commands on the underlying operating system of an affected device.
CVE-2023-20079 [CVSS: 7.5] [CVSS: 7.5].
This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a tampered request to the web-based administration interface. Successful exploitation could allow the attacker to trigger a DoS condition.
- Note: Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
To mitigate the vulnerabilities of both severities, it is recommended to install the manufacturer's updates available in the vendor's official media, prior analysis of the impact it could have on your organization's business-critical services. To do so, consult with your technical staff or corresponding resolution areas.
Products affected
IP Phone 7800 Series with Multiplatform Firmware | They do run a vulnerable version of Cisco's cross-platform firmware. |
IP Phone 6800 Series with Multiplatform Firmware | They do run a vulnerable version of Cisco's cross-platform firmware. |
Cisco Unified Intelligence Center | 12.6 and earlier |
Cisco Finesse | 12.6 (2) and earlier |
Unified IP Conference Phone 8831 | If running a vulnerable version of Cisco Multiplatform Firmware or Cisco Unified Software |
Cisco Webex for Web (cloud-based) | |
Cisco Prime Infrastructure | prior to 3.10.3 |
Cisco EPN Manager | prior to 7.0 |
Unified IP Conference Phone 8831 with Multiplatform Firmware | If running a vulnerable version of Cisco Multiplatform Firmware or Cisco Unified Software |
IP Phone 8800 Series with Multiplatform Firmware | They do run a vulnerable version of Cisco's cross-platform firmware. |
Unified IP Phone 7900 Series | If running a vulnerable version of Cisco Multiplatform Firmware or Cisco Unified Software |
Cisco security advisories
Cisco security advisories
Cyber incidents caused by the "human factor" are often attributed to occasional employee error, but a more important element is often overlooked: deliberate malicious behavior by staff.
The leak contains user data from LinkedIn, Twitter, Weibo, Tencent and other platforms, is almost certainly the largest ever discovered.
