CVE-2024-20534

A vulnerability in the web UI of Cisco Desk Phone 9800 Series, Cisco IP Phone 6800, 7800, and 8800 Series, and Cisco Video Phone 8875 with Cisco Multiplatform Firmware could allow an authenticated, remote attacker to conduct stored cross-site scripting (XSS) attacks against users. This vulnerability exists because the web UI of an affected device does not properly validate user-supplied input. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. Note: To exploit this vulnerability, Web Access must be enabled on the phone and the attacker must have Admin credentials on the device. Web Access is disabled by default.

CVSS v3 4.8 MEDIUM

4.8^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.7 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-mpp-xss-8tAV2TvF	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:o:cisco:desk_phone_9841_with_multiplatform_firmware:3.1\(1\):-::::::
	cpe:2.3:o:cisco:desk_phone_9841_with_multiplatform_firmware:3.1\(1\):sr1::::::

cpe:2.3:h:cisco:desk_phone_9841:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

OR	cpe:2.3:o:cisco:desk_phone_9851_with_multiplatform_firmware:3.1\(1\):-::::::
	cpe:2.3:o:cisco:desk_phone_9851_with_multiplatform_firmware:3.1\(1\):sr1::::::

cpe:2.3:h:cisco:desk_phone_9851:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

OR	cpe:2.3:o:cisco:desk_phone_9861_with_multiplatform_firmware:3.1\(1\):-::::::
	cpe:2.3:o:cisco:desk_phone_9861_with_multiplatform_firmware:3.1\(1\):sr1::::::

cpe:2.3:h:cisco:desk_phone_9861:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

OR	cpe:2.3:o:cisco:desk_phone_9871_with_multiplatform_firmware:3.1\(1\):-::::::
	cpe:2.3:o:cisco:desk_phone_9871_with_multiplatform_firmware:3.1\(1\):sr1::::::

cpe:2.3:h:cisco:desk_phone_9871:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:o:cisco:ip_phone_6821_with_multiplatform_firmware:12.0\(5\):sr1:*:*:*:*:*:*

cpe:2.3:h:cisco:ip_phone_6821:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

cpe:2.3:o:cisco:ip_phone_6841_with_multiplatform_firmware:12.0\(5\):sr1:*:*:*:*:*:*

cpe:2.3:h:cisco:ip_phone_6841:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND

cpe:2.3:o:cisco:ip_phone_6851_with_multiplatform_firmware:12.0\(5\):sr1:*:*:*:*:*:*

cpe:2.3:h:cisco:ip_phone_6851:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND

cpe:2.3:o:cisco:ip_phone_6861_with_multiplatform_firmware:12.0\(5\):sr1:*:*:*:*:*:*

cpe:2.3:h:cisco:ip_phone_6861:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND

cpe:2.3:o:cisco:ip_phone_6871_with_multiplatform_firmware:12.0\(5\):sr1:*:*:*:*:*:*

cpe:2.3:h:cisco:ip_phone_6871:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND

cpe:2.3:o:cisco:ip_phone_7811_with_multiplatform_firmware:12.0\(5\):sr1:*:*:*:*:*:*

cpe:2.3:h:cisco:ip_phone_7811:-:*:*:*:*:*:*:*

Configuration 11 (hide)

AND

cpe:2.3:o:cisco:ip_phone_7821_with_multiplatform_firmware:12.0\(5\):sr1:*:*:*:*:*:*

cpe:2.3:h:cisco:ip_phone_7821:-:*:*:*:*:*:*:*

Configuration 12 (hide)

AND

cpe:2.3:o:cisco:ip_phone_7832_with_multiplatform_firmware:12.0\(5\):sr1:*:*:*:*:*:*

cpe:2.3:h:cisco:ip_phone_7832:-:*:*:*:*:*:*:*

Configuration 13 (hide)

AND

cpe:2.3:o:cisco:ip_phone_7841_with_multiplatform_firmware:12.0\(5\):sr1:*:*:*:*:*:*

cpe:2.3:h:cisco:ip_phone_7841:-:*:*:*:*:*:*:*

Configuration 14 (hide)

AND

cpe:2.3:o:cisco:ip_phone_7861_with_multiplatform_firmware:12.0\(5\):sr1:*:*:*:*:*:*

cpe:2.3:h:cisco:ip_phone_7861:-:*:*:*:*:*:*:*

Configuration 15 (hide)

AND

cpe:2.3:o:cisco:ip_phone_8811_with_multiplatform_firmware:12.0\(5\):sr1:*:*:*:*:*:*

cpe:2.3:h:cisco:ip_phone_8811:-:*:*:*:*:*:*:*

Configuration 16 (hide)

AND

cpe:2.3:o:cisco:ip_phone_8832_with_multiplatform_firmware:12.0\(5\):sr1:*:*:*:*:*:*

cpe:2.3:h:cisco:ip_phone_8832:-:*:*:*:*:*:*:*

Configuration 17 (hide)

AND

cpe:2.3:o:cisco:ip_phone_8841_with_multiplatform_firmware:12.0\(5\):sr1:*:*:*:*:*:*

cpe:2.3:h:cisco:ip_phone_8841:-:*:*:*:*:*:*:*

Configuration 18 (hide)

AND

cpe:2.3:o:cisco:ip_phone_8845_with_multiplatform_firmware:12.0\(5\):sr1:*:*:*:*:*:*

cpe:2.3:h:cisco:ip_phone_8845:-:*:*:*:*:*:*:*

Configuration 19 (hide)

AND

cpe:2.3:o:cisco:ip_phone_8851_with_multiplatform_firmware:12.0\(5\):sr1:*:*:*:*:*:*

cpe:2.3:h:cisco:ip_phone_8851:-:*:*:*:*:*:*:*

Configuration 20 (hide)

AND

cpe:2.3:o:cisco:ip_phone_8861_with_multiplatform_firmware:12.0\(5\):sr1:*:*:*:*:*:*

cpe:2.3:h:cisco:ip_phone_8861:-:*:*:*:*:*:*:*

Configuration 21 (hide)

AND

cpe:2.3:o:cisco:ip_phone_8865_with_multiplatform_firmware:12.0\(5\):sr1:*:*:*:*:*:*

cpe:2.3:h:cisco:ip_phone_8865:-:*:*:*:*:*:*:*

Configuration 22 (hide)

AND

OR	cpe:2.3:o:cisco:video_phone_8875_with_multiplatform_firmware::-::::::*
	cpe:2.3:o:cisco:video_phone_8875_with_multiplatform_firmware:2.3\(1\):-::::::
	cpe:2.3:o:cisco:video_phone_8875_with_multiplatform_firmware:2.3\(1\):sr1::::::

cpe:2.3:h:cisco:video_phone_8875:-:*:*:*:*:*:*:*

Configuration 23 (hide)

AND

cpe:2.3:o:cisco:ip_phone_8831_with_multiplatform_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:cisco:ip_phone_8831:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-11-06 17:15

Updated : 2026-01-05 14:51

NVD link : CVE-2024-20534

Mitre link : CVE-2024-20534

CVE.ORG link : CVE-2024-20534

JSON object : View

Products Affected

cisco

ip_phone_6821
ip_phone_7832_with_multiplatform_firmware
ip_phone_7841
ip_phone_7861_with_multiplatform_firmware
ip_phone_7821
desk_phone_9841
ip_phone_6861_with_multiplatform_firmware
video_phone_8875
ip_phone_8841_with_multiplatform_firmware
ip_phone_7832
ip_phone_8811_with_multiplatform_firmware
ip_phone_8845
ip_phone_8841
desk_phone_9861
ip_phone_6861
ip_phone_6871_with_multiplatform_firmware
ip_phone_7811_with_multiplatform_firmware
ip_phone_7841_with_multiplatform_firmware
video_phone_8875_with_multiplatform_firmware
ip_phone_8851
ip_phone_6841_with_multiplatform_firmware
desk_phone_9861_with_multiplatform_firmware
ip_phone_7821_with_multiplatform_firmware
desk_phone_9841_with_multiplatform_firmware
ip_phone_8832
ip_phone_6851_with_multiplatform_firmware
ip_phone_8865
ip_phone_8831
ip_phone_8865_with_multiplatform_firmware
ip_phone_8861_with_multiplatform_firmware
ip_phone_7811
desk_phone_9851_with_multiplatform_firmware
ip_phone_6821_with_multiplatform_firmware
ip_phone_8851_with_multiplatform_firmware
ip_phone_8861
ip_phone_6841
ip_phone_8811
ip_phone_8831_with_multiplatform_firmware
ip_phone_8832_with_multiplatform_firmware
ip_phone_7861
ip_phone_6851
ip_phone_6871
desk_phone_9871_with_multiplatform_firmware
ip_phone_8845_with_multiplatform_firmware
desk_phone_9871
desk_phone_9851

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

4.8 /10