- 47/2024
- Critical
Cisco has released security updates to fix several vulnerabilities across multiple Cisco products.
The addressed vulnerabilities could allow the remote attacker to conduct crosssite scripting attacks, cause web cache poisoning by persuading the authenticated user to visit a malicious website, or perform denial of service attacks by submitting a crafted file containing OLE2 content to be scanned by ClamAV on the affected device.
Sample of the addressed vulnerabilities:
1. Cisco Expressway Series and TelePresence Video Communication Server (VCS) Cross-Site Request Forgery (CVE-2024-20252):
- CVSS: 9.6
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Consequences: Gain Access
2. Cisco Secure Endpoint Connector for Windows and Secure Endpoint Private Cloud Denial of Service (CVE-2024-20290):
- CVSS: 7.5
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Denial of Service
The affected products:
- Cisco Expressway Series.
- Secure Endpoint Connector for Windows.
- Cisco Secure Endpoint Private Cloud.
Vulnerabilities
- CVE-2024-20252
- CVE-2024-20254
- CVE-2024-20255
- CVE-2024-20290
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.