CVE-2024-20533

Name of the Vulnerable Software and Affected Versions Cisco Desk Phone 9800 Series (affected versions not specified) Cisco IP Phone 6800 Series (affected versions not specified) Cisco IP Phone 7800 Series (affected versions not specified) Cisco IP Phone 8800 Series (affected versions not specified) Cisco Video Phone 8875 (affected versions not specified)

Description A vulnerability in the web UI of the affected devices could allow an authenticated, remote attacker to conduct stored cross-site scripting (XSS) attacks against users. This issue exists because the web UI does not properly validate user-supplied input. An attacker could exploit this by injecting malicious code into specific pages of the interface, potentially allowing the execution of arbitrary script code in the context of the affected interface or access to sensitive, browser-based information. Note that to exploit this, Web Access must be enabled on the phone and the attacker must have Admin credentials on the device. Web Access is disabled by default.

Recommendations For Cisco Desk Phone 9800 Series, consider disabling Web Access until a patch is available. For Cisco IP Phone 6800 Series, restrict access to the web UI for non-admin users until a fix is applied. For Cisco IP Phone 7800 Series, avoid using the web UI for sensitive operations until the issue is resolved. For Cisco IP Phone 8800 Series, limit the use of the web interface to necessary administrative tasks only until a patch is released. For Cisco Video Phone 8875, disable the web UI temporarily as a mitigation measure until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.