SB2024050212 - Multiple vulnerabilities in Cisco IP Phone 6800, 7800 and 8800 Series with Multiplatform Firmware

Security Bulletin ID SB2024050212

Severity

Medium

Patch available

YES

Number of vulnerabilities 3

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) XML External Entity injection (CVE-ID: CVE-2024-20357)

The vulnerability allows a remote attacker to initiate phone calls on the target device.

The vulnerability exists due to insufficient validation of user-supplied XML input. A remote attacker can pass a specially crafted XML code to the affected application and initiate calls or play sounds on the target device.

2) Input validation error (CVE-ID: CVE-2024-20376)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in the web-based management interface. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

3) Authentication Bypass by Primary Weakness (CVE-ID: CVE-2024-20378)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a lack of authentication for specific endpoints of the web-based management interface. A remote attacker can gain unauthorized access to sensitive information on the system.

Remediation

Install update from vendor's website.

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipphone-multi-vulns-cXAhCvS