CVE-2022-20774 – Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Cross-Site Request Forgery Vulnerability
https://notcve.org/view.php?id=CVE-2022-20774
A vulnerability in the web-based management interface of Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against a user of the web-based interface of an affected system. This vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading an authenticated user of the interface to follow a crafted link. A successful exploit could allow the attacker to perform configuration changes on the affected device, resulting in a denial of service (DoS) condition. Una vulnerabilidad en la interfaz de administración basada en web de los teléfonos IP de las series 6800, 7800 y 8800 de Cisco con firmware multiplataforma podría permitir a un atacante remoto no autenticado conducir un ataque de tipo cross-site request forgery (CSRF) contra un usuario de la interfaz basada en la web de un sistema afectado. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voip-phone-csrf-K56vXvVx • CWE-345: Insufficient Verification of Data Authenticity CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2022-20660 – Cisco IP Phones Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2022-20660
A vulnerability in the information storage architecture of several Cisco IP Phone models could allow an unauthenticated, physical attacker to obtain confidential information from an affected device. This vulnerability is due to unencrypted storage of confidential information on an affected device. An attacker could exploit this vulnerability by physically extracting and accessing one of the flash memory chips. A successful exploit could allow the attacker to obtain confidential information from the device, which could be used for subsequent attacks. Una vulnerabilidad en la arquitectura de almacenamiento de información de varios modelos de teléfonos IP de Cisco podría permitir a un atacante físico no autenticado obtener información confidencial de un dispositivo afectado. • http://packetstormsecurity.com/files/165567/Cisco-IP-Phone-Cleartext-Password-Storage.html http://seclists.org/fulldisclosure/2022/Jan/34 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ip-phone-info-disc-fRdJfOxA • CWE-312: Cleartext Storage of Sensitive Information •
CVE-2021-34711 – Cisco IP Phone Software Arbitrary File Read Vulnerability
https://notcve.org/view.php?id=CVE-2021-34711
A vulnerability in the debug shell of Cisco IP Phone software could allow an authenticated, local attacker to read any file on the device file system. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by providing crafted input to a debug shell command. A successful exploit could allow the attacker to read any file on the device file system. Una vulnerabilidad en el shell de depuración del software de Cisco IP Phone podría permitir a un atacante local autenticado leer cualquier archivo del sistema de archivos del dispositivo. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipphone-arbfileread-NPdtE2Ow • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-36: Absolute Path Traversal •
CVE-2020-3360 – Cisco IP Phones Series 7800 and Series 8800 Call Log Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2020-3360
A vulnerability in the Web Access feature of Cisco IP Phones Series 7800 and Series 8800 could allow an unauthenticated, remote attacker to view sensitive information on an affected device. The vulnerability is due to improper access controls on the web-based management interface of an affected device. An attacker could exploit this vulnerability by sending malicious requests to the device, which could allow the attacker to bypass access restrictions. A successful attack could allow the attacker to view sensitive information, including device call logs that contain names, usernames, and phone numbers of users of the device. Una vulnerabilidad en la funcionalidad Web Access de Cisco IP Phones Series 7800 y Series 8800, podría permitir a un atacante remoto no autenticado visualizar información confidencial sobre un dispositivo afectado. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-phone-logs-2O7f7ExM • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-863: Incorrect Authorization •
CVE-2020-3161 – Cisco IP Phones Web Server Remote Code Execution and Denial-of-Service Vulnerability
https://notcve.org/view.php?id=CVE-2020-3161
A vulnerability in the web server for Cisco IP Phones could allow an unauthenticated, remote attacker to execute code with root privileges or cause a reload of an affected IP phone, resulting in a denial of service (DoS) condition. The vulnerability is due to a lack of proper input validation of HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web server of a targeted device. A successful exploit could allow the attacker to remotely execute code with root privileges or cause a reload of an affected IP phone, resulting in a DoS condition. Una vulnerabilidad en el servidor web de Cisco IP Phones, podría permitir a un atacante no autenticado remoto ejecutar código con privilegios root o causar una recarga de un teléfono IP afectado, resultando en una condición de denegación de servicio (DoS). • https://www.exploit-db.com/exploits/48342 https://github.com/abood05972/CVE-2020-3161 http://packetstormsecurity.com/files/157265/Cisco-IP-Phone-11.7-Denial-Of-Service.html https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voip-phones-rce-dos-rB6EeRXs • CWE-20: Improper Input Validation •