CVE-2024-20533

MEDIUM EPSS 18.6%
Published Nov 6, 20241y ago · Modified Jun 17, 20261w ago
4.8 CVSS 3.1
Medium
Find Similar
Published Nov 6, 2024 1y ago
Last Modified Jun 17, 2026 1w ago

Description

A vulnerability in the web UI of Cisco Desk Phone 9800 Series, Cisco IP Phone 6800, 7800, and 8800 Series, and Cisco Video Phone 8875 with Cisco Multiplatform Firmware could allow an authenticated, remote attacker to conduct stored cross-site scripting (XSS) attacks against users. This vulnerability exists because the web UI of an affected device does not properly validate user-supplied input. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. Note: To exploit this vulnerability, Web Access must be enabled on the phone and the attacker must have Admin credentials on the device. Web Access is disabled by default.

CVSS Details

Base Score
4.8
Exploitability
1.7
Impact
2.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required High
User Interaction Required
Scope Changed
Confidentiality Low
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
18.6% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 52

VendorProductVersionRange
ciscodesk_phone_9841_with_multiplatform_firmware3.1\(1\)any
ciscodesk_phone_9841_with_multiplatform_firmware3.1\(1\)any
ciscodesk_phone_9841*any
ciscodesk_phone_9851_with_multiplatform_firmware3.1\(1\)any
ciscodesk_phone_9851_with_multiplatform_firmware3.1\(1\)any
ciscodesk_phone_9851*any
ciscodesk_phone_9861_with_multiplatform_firmware3.1\(1\)any
ciscodesk_phone_9861_with_multiplatform_firmware3.1\(1\)any
ciscodesk_phone_9861*any
ciscodesk_phone_9871_with_multiplatform_firmware3.1\(1\)any
ciscodesk_phone_9871_with_multiplatform_firmware3.1\(1\)any
ciscodesk_phone_9871*any
ciscoip_phone_6821_with_multiplatform_firmware12.0\(5\)any
ciscoip_phone_6821*any
ciscoip_phone_6841_with_multiplatform_firmware12.0\(5\)any
ciscoip_phone_6841*any
ciscoip_phone_6851_with_multiplatform_firmware12.0\(5\)any
ciscoip_phone_6851*any
ciscoip_phone_6861_with_multiplatform_firmware12.0\(5\)any
ciscoip_phone_6861*any
ciscoip_phone_6871_with_multiplatform_firmware12.0\(5\)any
ciscoip_phone_6871*any
ciscoip_phone_7811_with_multiplatform_firmware12.0\(5\)any
ciscoip_phone_7811*any
ciscoip_phone_7821_with_multiplatform_firmware12.0\(5\)any
ciscoip_phone_7821*any
ciscoip_phone_7832_with_multiplatform_firmware12.0\(5\)any
ciscoip_phone_7832*any
ciscoip_phone_7841_with_multiplatform_firmware12.0\(5\)any
ciscoip_phone_7841*any
ciscoip_phone_7861_with_multiplatform_firmware12.0\(5\)any
ciscoip_phone_7861*any
ciscoip_phone_8811_with_multiplatform_firmware12.0\(5\)any
ciscoip_phone_8811*any
ciscoip_phone_8832_with_multiplatform_firmware12.0\(5\)any
ciscoip_phone_8832*any
ciscoip_phone_8841_with_multiplatform_firmware12.0\(5\)any
ciscoip_phone_8841*any
ciscoip_phone_8845_with_multiplatform_firmware12.0\(5\)any
ciscoip_phone_8845*any
ciscoip_phone_8851_with_multiplatform_firmware12.0\(5\)any
ciscoip_phone_8851*any
ciscoip_phone_8861_with_multiplatform_firmware12.0\(5\)any
ciscoip_phone_8861*any
ciscoip_phone_8865_with_multiplatform_firmware12.0\(5\)any
ciscoip_phone_8865*any
ciscovideo_phone_8875_with_multiplatform_firmware* <2.3\(1\)
ciscovideo_phone_8875_with_multiplatform_firmware2.3\(1\)any
ciscovideo_phone_8875_with_multiplatform_firmware2.3\(1\)any
ciscovideo_phone_8875*any
ciscoip_phone_8831_with_multiplatform_firmware*any
ciscoip_phone_8831*any

References 1

  • sec.cloudapps.cisco.com https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-mpp-xss-8tAV2TvF
    Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.