- 57/2023
- Critical
Cisco has released security updates to address vulnerabilities affecting multiple products.
The severity of the addressed vulnerabilities could allow the remote attacker to gain access, obtain information, cause a denial of service, and trigger Cross-site Scripting (XSS) or server-side request forgery (SSRF) attacks on the affected products.
Sample of the addressed vulnerabilities:
1. Cisco IP Phone Command Injection Vulnerability (CVE-2023-20078):
• CVSS: 9.8
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: None
• Consequences: Gain Access
2. Cisco IP Phone Denial of Service Vulnerability (CVE-2023-20079):
• CVSS: 7.5
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: None
• Consequences: Denial of Service
Affected Products:
• Cisco IP Phone.
• Cisco Prime Infrastructure.
• Cisco EPN Manager.
• Cisco Unified Intelligence Center.
• Cisco Finesse.
• Cisco Webex.
Vulnerabilities
- CVE-2023-20061
- CVE-2023-20062
- CVE-2023-20069
- CVE-2023-20078
- CVE-2023-20088
- CVE-2023-20104
- CVE-2023-20079
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.
Cisco Security Advisory