Cisco Desk Phones and Video Phones Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the web user interface of Cisco Desk Phone 9800 Series, Cisco IP Phone 7800 and 8800 Series, and Cisco Video Phone 8875, all running Cisco SIP Software. This vulnerability allows an unauthenticated, remote attacker to conduct XSS attacks against users of the web UI. The issue arises because the web UI does not properly validate user-supplied input. An attacker could exploit this by persuading a user to click on a crafted link, potentially leading to the execution of arbitrary script code in the context of the affected interface or the access of sensitive, browser-based information. To exploit this vulnerability, the phone must be registered with Cisco Unified Communications Manager and have Web Access enabled, which is disabled by default.

Impact

Exploitation of this vulnerability could allow an attacker to perform cross-site scripting attacks, executing arbitrary script code in the context of the user's web interface or accessing sensitive browser-based information.

Remediation

Cisco has released software updates to address this vulnerability. Instructions for upgrading to a fixed release can be found in the Cisco Security Advisory related to this vulnerability.