6.1

CVE-2023-20218

A vulnerability in web-based management interface of Cisco SPA500 Series Analog Telephone Adapters (ATAs) could allow an authenticated, remote attacker to to modify a web page in the context of a user's browser.

 This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to alter the contents of a web page to redirect the user to potentially malicious websites, or the attacker could use this vulnerability to conduct further client-side attacks.

 Cisco will not release software updates that address this vulnerability.  

  {{value}} ["%7b%7bvalue%7d%7d"])}]]

Daten sind bereitgestellt durch National Vulnerability Database (NVD)
CiscoSpa500ds Firmware Version-
   CiscoSpa500ds Version-
CiscoSpa500s Firmware Version-
   CiscoSpa500s Version-
CiscoSpa501g Firmware Version-
   CiscoSpa501g Version-
CiscoSpa502g Firmware Version-
   CiscoSpa502g Version-
CiscoSpa504g Firmware Version-
   CiscoSpa504g Version-
CiscoSpa508g Firmware Version-
   CiscoSpa508g Version-
CiscoSpa509g Firmware Version-
   CiscoSpa509g Version-
CiscoSpa512g Firmware Version-
   CiscoSpa512g Version-
CiscoSpa514g Firmware Version-
   CiscoSpa514g Version-
CiscoSpa525 Firmware Version-
   CiscoSpa525 Version-
CiscoSpa525g Firmware Version-
   CiscoSpa525g Version-
CiscoSpa525g2 Firmware Version-
   CiscoSpa525g2 Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.1% 0.251
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.1 2.8 2.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
psirt@cisco.com 5.8 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.