CVE-2022-20807

Name of the Vulnerable Software and Affected Versions Cisco Expressway Series (affected versions not specified) Cisco TelePresence Video Communication Server (affected versions not specified)

Description The issue is related to improper restriction of XML external entities in the software of Cisco Expressway and Cisco TelePresence Video Communication Server. This could allow a remote attacker to view the contents of arbitrary files on the server or perform network scanning of internal and external infrastructure. An authenticated, remote attacker may also be able to write files or disclose sensitive information on an affected device through the API and web-based management interfaces.

Recommendations For Cisco Expressway Series, update to a version that addresses the issue, if available. For Cisco TelePresence Video Communication Server, update to a version that addresses the issue, if available. As a temporary workaround, consider restricting access to the API and web-based management interfaces until a patch is available. Avoid using the vulnerable API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.