CVE-2023-20231

Name of the Vulnerable Software and Affected Versions Cisco IOS XE Software (affected versions not specified)

Description A vulnerability in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker to perform an injection attack against an affected device. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted input to the web UI. A successful exploit could allow the attacker to execute arbitrary Cisco IOS XE Software CLI commands with level 15 privileges. Note that this vulnerability is exploitable only if the attacker obtains the credentials for a Lobby Ambassador account, which is not configured by default.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. However, Cisco has released software updates that address this vulnerability. As a temporary workaround, consider restricting access to the web UI until a patch is available. Additionally, ensure that the Lobby Ambassador account credentials are securely stored and not accessible to unauthorized users.