CVE-2024-20357

Name of the Vulnerable Software and Affected Versions Cisco IP Phone 6800 versions (affected versions not specified) Cisco IP Phone 7800 versions (affected versions not specified) Cisco IP Phone 8800 versions (affected versions not specified) Cisco Video Phone 8875 versions (affected versions not specified)

Description The issue is related to a buffer overflow in the memory of the web interface for managing the firmware of Cisco IP Phones. This can be exploited by an unauthenticated, remote attacker using specially crafted XML requests, potentially allowing the initiation of phone calls on the affected device. The vulnerability exists due to the lack of bounds-checking while parsing XML requests. An attacker could exploit this by sending a crafted XML request to an affected device, potentially allowing them to initiate calls or play sounds on the device.

Recommendations For Cisco IP Phone 6800, update the firmware to a version that includes the fix for this issue. For Cisco IP Phone 7800, update the firmware to a version that includes the fix for this issue. For Cisco IP Phone 8800, update the firmware to a version that includes the fix for this issue. For Cisco Video Phone 8875, update the firmware to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the XML service on the affected devices until a patch is available.