CVE-2024-20534

Name of the Vulnerable Software and Affected Versions Cisco IP Phone 6800 versions (affected versions not specified) Cisco IP Phone 7800 versions (affected versions not specified) Cisco IP Phone 8800 versions (affected versions not specified) Cisco Video Phone 8875 versions (affected versions not specified) Cisco Desk Phone 9800 Series versions (affected versions not specified)

Description The vulnerability is related to the web interface of the affected devices, which does not properly validate user-supplied input. This could allow a remote attacker to conduct stored cross-site scripting (XSS) attacks against users. The attacker must have Admin credentials on the device and Web Access must be enabled on the phone to exploit this vulnerability. Web Access is disabled by default. The vulnerability exists because the web UI of an affected device does not properly validate user-supplied input, allowing an attacker to inject malicious code into specific pages of the interface.

Recommendations For Cisco IP Phone 6800, update to a version that fixes the vulnerability, ensuring Web Access is disabled if not necessary. For Cisco IP Phone 7800, update to a version that fixes the vulnerability, ensuring Web Access is disabled if not necessary. For Cisco IP Phone 8800, update to a version that fixes the vulnerability, ensuring Web Access is disabled if not necessary. For Cisco Video Phone 8875, update to a version that fixes the vulnerability, ensuring Web Access is disabled if not necessary. For Cisco Desk Phone 9800 Series, update to a version that fixes the vulnerability, ensuring Web Access is disabled if not necessary. As a temporary workaround, consider disabling Web Access on the affected devices until a patch is available.