Ian Thorne

**Name of the Vulnerable Software and Affected Versions** Cisco Desk Phone 9800 Series (affected versions not specified) Cisco IP Phone 6800 Series (affected versions not specified) Cisco IP Phone 7800 Series (affected versions not specified) Cisco IP Phone 8800 Series (affected versions not specified) Cisco Video Phone 8875 (affected versions not specified) **Description** A vulnerability in the web UI of the affected devices could allow an authenticated, remote attacker to conduct stored cross-site scripting (XSS) attacks against users. This issue exists because the web UI does not properly validate user-supplied input. An attacker could exploit this by injecting malicious code into specific pages of the interface, potentially allowing the execution of arbitrary script code in the context of the affected interface or access to sensitive, browser-based information. Note that to exploit this, Web Access must be enabled on the phone and the attacker must have Admin credentials on the device. Web Access is disabled by default. **Recommendations** For Cisco Desk Phone 9800 Series, consider disabling Web Access until a patch is available. For Cisco IP Phone 6800 Series, restrict access to the web UI for non-admin users until a fix is applied. For Cisco IP Phone 7800 Series, avoid using the web UI for sensitive operations until the issue is resolved. For Cisco IP Phone 8800 Series, limit the use of the web interface to necessary administrative tasks only until a patch is released. For Cisco Video Phone 8875, disable the web UI temporarily as a mitigation measure until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco IP Phone 6800 versions (affected versions not specified) Cisco IP Phone 7800 versions (affected versions not specified) Cisco IP Phone 8800 versions (affected versions not specified) Cisco Video Phone 8875 versions (affected versions not specified) Cisco Desk Phone 9800 Series versions (affected versions not specified) **Description** The vulnerability is related to the web interface of the affected devices, which does not properly validate user-supplied input. This could allow a remote attacker to conduct stored cross-site scripting (XSS) attacks against users. The attacker must have Admin credentials on the device and Web Access must be enabled on the phone to exploit this vulnerability. Web Access is disabled by default. The vulnerability exists because the web UI of an affected device does not properly validate user-supplied input, allowing an attacker to inject malicious code into specific pages of the interface. **Recommendations** For Cisco IP Phone 6800, update to a version that fixes the vulnerability, ensuring Web Access is disabled if not necessary. For Cisco IP Phone 7800, update to a version that fixes the vulnerability, ensuring Web Access is disabled if not necessary. For Cisco IP Phone 8800, update to a version that fixes the vulnerability, ensuring Web Access is disabled if not necessary. For Cisco Video Phone 8875, update to a version that fixes the vulnerability, ensuring Web Access is disabled if not necessary. For Cisco Desk Phone 9800 Series, update to a version that fixes the vulnerability, ensuring Web Access is disabled if not necessary. As a temporary workaround, consider disabling Web Access on the affected devices until a patch is available.