CVE-2019-16008 – Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Cross-Site Scripting Vulnerability
https://notcve.org/view.php?id=CVE-2019-16008
A vulnerability in the web-based GUI of Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface of an affected system. The vulnerability is due to insufficient validation of user-supplied input by the web-based GUI of an affected system. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. Una vulnerabilidad en la GUI basada en web de Cisco IP Phone Serie 6800, 7800 y 8800 con Multiplatform Firmware, podría permitir a un atacante remoto autenticado llevar a cabo un ataque de tipo cross-site scripting (XSS) contra un usuario de la interfaz basada en web de un sistema afectado. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200108-iphone-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-0341
https://notcve.org/view.php?id=CVE-2018-0341
A vulnerability in the web-based UI of Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware before 11.2(1) could allow an authenticated, remote attacker to perform a command injection and execute commands with the privileges of the web server. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by including arbitrary shell commands in a specific user input field. Cisco Bug IDs: CSCvi51426. Una vulnerabilidad en la interfaz de usuario web de Cisco IP Phone Series 6800, 7800 y 8800 con firmware multiplataforma en versiones anteriores a la 11.2(1) podría permitir que un atacante remoto autenticado realice una inyección de comandos y ejecute comandos con los privilegios del servidor web. • http://www.securityfocus.com/bid/104731 http://www.securitytracker.com/id/1041285 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180711-phone-webui-inject • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2018-0316
https://notcve.org/view.php?id=CVE-2018-0316
A vulnerability in the Session Initiation Protocol (SIP) call-handling functionality of Cisco IP Phone 6800, 7800, and 8800 Series Phones with Multiplatform Firmware could allow an unauthenticated, remote attacker to cause an affected phone to reload unexpectedly, resulting in a temporary denial of service (DoS) condition. The vulnerability exists because the firmware of an affected phone incorrectly handles errors that could occur when an incoming phone call is not answered. An attacker could exploit this vulnerability by sending a set of maliciously crafted SIP packets to an affected phone. A successful exploit could allow the attacker to cause the affected phone to reload unexpectedly, resulting in a temporary DoS condition. This vulnerability affects Cisco IP Phone 6800, 7800, and 8800 Series Phones with Multiplatform Firmware if they are running a Multiplatform Firmware release prior to Release 11.1(2). • http://www.securitytracker.com/id/1041073 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-multiplatform-sip • CWE-399: Resource Management Errors CWE-755: Improper Handling of Exceptional Conditions •