CVE-2024-20445

MEDIUM EPSS 35.9%

Published Nov 6, 20241y ago · Modified Jun 17, 20261w ago

5.3 CVSS 3.1

Medium

Published Nov 6, 2024 1y ago

Last Modified Jun 17, 2026 1w ago

Description

A vulnerability in the web UI of Cisco Desk Phone 9800 Series, Cisco IP Phone 7800 and 8800 Series, and Cisco Video Phone 8875 could allow an unauthenticated, remote attacker to access sensitive information on an affected device. This vulnerability is due to improper storage of sensitive information within the web UI of Session Initiation Protocol (SIP)-based phone loads. An attacker could exploit this vulnerability by browsing to the IP address of a device that has Web Access enabled. A successful exploit could allow the attacker to access sensitive information, including incoming and outgoing call records. Note: Web Access is disabled by default.

CVSS Details

Base Score

5.3

Exploitability

3.9

Impact

1.4

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope Unchanged

Confidentiality Low

Integrity None

Availability None

Threat Intelligence

EPSS Exploit Probability

35.9% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Information Exposure

Affected Products 42

Vendor	Product	Version	Range
cisco	desk_phone_9841_firmware	3.1\(1\)	any
cisco	desk_phone_9841_firmware	3.1\(1\)	any
cisco	desk_phone_9841	*	any
cisco	desk_phone_9851_firmware	3.1\(1\)	any
cisco	desk_phone_9851_firmware	3.1\(1\)	any
cisco	desk_phone_9851	*	any
cisco	desk_phone_9861_firmware	3.1\(1\)	any
cisco	desk_phone_9861_firmware	3.1\(1\)	any
cisco	desk_phone_9861	*	any
cisco	desk_phone_9871_firmware	3.1\(1\)	any
cisco	desk_phone_9871_firmware	3.1\(1\)	any
cisco	desk_phone_9871	*	any
cisco	ip_conference_phone_7832_firmware	*	<14.3\(1\)
cisco	ip_conference_phone_7832	*	any
cisco	ip_conference_phone_8831_firmware	*	<14.3\(1\)
cisco	ip_conference_phone_8831	*	any
cisco	ip_conference_phone_8832_firmware	*	<14.3\(1\)
cisco	ip_conference_phone_8832	*	any
cisco	ip_phone_7811_firmware	*	<14.3\(1\)
cisco	ip_phone_7811	*	any
cisco	ip_phone_7821_firmware	*	<14.3\(1\)
cisco	ip_phone_7821	*	any
cisco	ip_phone_7841_firmware	*	<14.3\(1\)
cisco	ip_phone_7841	*	any
cisco	ip_phone_7861_firmware	*	<14.3\(1\)
cisco	ip_phone_7861	*	any
cisco	ip_phone_8811_firmware	*	<14.3\(1\)
cisco	ip_phone_8811	*	any
cisco	ip_phone_8841_firmware	*	<14.3\(1\)
cisco	ip_phone_8841	*	any
cisco	ip_phone_8845_firmware	*	<14.3\(1\)
cisco	ip_phone_8845	*	any
cisco	ip_phone_8851_firmware	*	<14.3\(1\)
cisco	ip_phone_8851	*	any
cisco	ip_phone_8851nr_firmware	*	<14.3\(1\)
cisco	ip_phone_8851nr	*	any
cisco	ip_phone_8861_firmware	*	<14.3\(1\)
cisco	ip_phone_8861	*	any
cisco	video_phone_8875_firmware	*	<2.3\(1\)
cisco	video_phone_8875_firmware	2.3\(1\)	any
cisco	video_phone_8875_firmware	2.3\(1\)	any
cisco	video_phone_8875	*	any

References 1

sec.cloudapps.cisco.com https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-phone-infodisc-sbyqQVbG

Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.