CVSS: 8.8EPSS: 0%CPEs: 7EXPL: 0CVE-2018-0461 – Cisco IP Phone 8800 Series Arbitrary Script Injection Vulnerability
https://notcve.org/view.php?id=CVE-2018-0461
A vulnerability in the Cisco IP Phone 8800 Series Software could allow an unauthenticated, remote attacker to conduct an arbitrary script injection attack on an affected device. The vulnerability exists because the software running on an affected device insufficiently validates user-supplied data. An attacker could exploit this vulnerability by persuading a user to click a malicious link provided to the user or through the interface of an affected device. A successful exploit could allow an attacker to execute arbitrary script code in the context of the user interface or access sensitive system-based information, which under normal circumstances should be prohibited. Una vulnerabilidad en el software Cisco IP Phone 8800 Series podría permitir que un atacante remoto sin autenticar lleve a cabo un ataque de inyección de scripts en un sistema afectado. • http://www.securityfocus.com/bid/106515 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190109-phone-script-injection • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.0EPSS: 0%CPEs: 13EXPL: 0CVE-2018-0341
https://notcve.org/view.php?id=CVE-2018-0341
A vulnerability in the web-based UI of Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware before 11.2(1) could allow an authenticated, remote attacker to perform a command injection and execute commands with the privileges of the web server. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by including arbitrary shell commands in a specific user input field. Cisco Bug IDs: CSCvi51426. Una vulnerabilidad en la interfaz de usuario web de Cisco IP Phone Series 6800, 7800 y 8800 con firmware multiplataforma en versiones anteriores a la 11.2(1) podría permitir que un atacante remoto autenticado realice una inyección de comandos y ejecute comandos con los privilegios del servidor web. • http://www.securityfocus.com/bid/104731 http://www.securitytracker.com/id/1041285 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180711-phone-webui-inject • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.5EPSS: 0%CPEs: 36EXPL: 0CVE-2018-0332
https://notcve.org/view.php?id=CVE-2018-0332
A vulnerability in the Session Initiation Protocol (SIP) ingress packet processing of Cisco Unified IP Phone software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to a lack of flow-control mechanisms in the software. An attacker could exploit this vulnerability by sending high volumes of SIP INVITE traffic to the targeted device. Successful exploitation could allow the attacker to cause a disruption of services on the targeted IP phone. Cisco Bug IDs: CSCve10064, CSCve14617, CSCve14638, CSCve14683, CSCve20812, CSCve20926, CSCve20945. • http://www.securityfocus.com/bid/104445 http://www.securitytracker.com/id/1041074 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-ip-phone-dos • CWE-399: Resource Management Errors •
CVSS: 7.8EPSS: 0%CPEs: 13EXPL: 0CVE-2018-0316
https://notcve.org/view.php?id=CVE-2018-0316
A vulnerability in the Session Initiation Protocol (SIP) call-handling functionality of Cisco IP Phone 6800, 7800, and 8800 Series Phones with Multiplatform Firmware could allow an unauthenticated, remote attacker to cause an affected phone to reload unexpectedly, resulting in a temporary denial of service (DoS) condition. The vulnerability exists because the firmware of an affected phone incorrectly handles errors that could occur when an incoming phone call is not answered. An attacker could exploit this vulnerability by sending a set of maliciously crafted SIP packets to an affected phone. A successful exploit could allow the attacker to cause the affected phone to reload unexpectedly, resulting in a temporary DoS condition. This vulnerability affects Cisco IP Phone 6800, 7800, and 8800 Series Phones with Multiplatform Firmware if they are running a Multiplatform Firmware release prior to Release 11.1(2). • http://www.securitytracker.com/id/1041073 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-multiplatform-sip • CWE-399: Resource Management Errors CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2018-0325
https://notcve.org/view.php?id=CVE-2018-0325
A vulnerability in the Session Initiation Protocol (SIP) call-handling functionality of Cisco IP Phone 7800 Series phones and Cisco IP Phone 8800 Series phones could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected phone. The vulnerability is due to incomplete input validation of SIP Session Description Protocol (SDP) parameters by the SDP parser of an affected phone. An attacker could exploit this vulnerability by sending a malformed SIP packet to an affected phone. A successful exploit could allow the attacker to cause all active phone calls on the affected phone to be dropped while the SIP process on the phone unexpectedly restarts, resulting in a DoS condition. Cisco Bug IDs: CSCvf40066. • http://www.securityfocus.com/bid/104202 http://www.securitytracker.com/id/1040927 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180516-ip-phone-dos • CWE-20: Improper Input Validation •