7.5

CVE-2024-20378

A vulnerability in the web-based management interface of Cisco IP Phone firmware could allow an unauthenticated, remote attacker to retrieve sensitive information from an affected device.  

 This vulnerability is due to a lack of authentication for specific endpoints of the web-based management interface on an affected device. An attacker could exploit this vulnerability by connecting to the affected device. A successful exploit could allow the attacker to gain unauthorized access to the device, enabling the recording of user credentials and traffic to and from the affected device, including VoIP calls that could be replayed.
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
CiscoIp Phone 6821 With Multiplatform Firmware Version < 12.0.4
   CiscoIp Phone 6821 Version-
CiscoIp Phone 6821 With Multiplatform Firmware Version12.0.4 Update-
   CiscoIp Phone 6821 Version-
CiscoIp Phone 6841 With Multiplatform Firmware Version < 12.0.4
   CiscoIp Phone 6841 Version-
CiscoIp Phone 6841 With Multiplatform Firmware Version12.0.4 Update-
   CiscoIp Phone 6841 Version-
CiscoIp Phone 6851 With Multiplatform Firmware Version < 12.0.4
   CiscoIp Phone 6851 Version-
CiscoIp Phone 6851 With Multiplatform Firmware Version12.0.4 Update-
   CiscoIp Phone 6851 Version-
CiscoIp Phone 6861 With Multiplatform Firmware Version < 12.0.4
   CiscoIp Phone 6861 Version-
CiscoIp Phone 6861 With Multiplatform Firmware Version12.0.4 Update-
   CiscoIp Phone 6861 Version-
CiscoIp Phone 6871 With Multiplatform Firmware Version < 12.0.4
   CiscoIp Phone 6871 Version-
CiscoIp Phone 6871 With Multiplatform Firmware Version12.0.4 Update-
   CiscoIp Phone 6871 Version-
CiscoIp Phone 7811 With Multiplatform Firmware Version < 12.0.4
   CiscoIp Phone 7811 Version-
CiscoIp Phone 7811 With Multiplatform Firmware Version12.0.4 Update-
   CiscoIp Phone 7811 Version-
CiscoIp Phone 7821 With Multiplatform Firmware Version < 12.0.4
   CiscoIp Phone 7821 Version-
CiscoIp Phone 7821 With Multiplatform Firmware Version12.0.4 Update-
   CiscoIp Phone 7821 Version-
CiscoIp Phone 7841 With Multiplatform Firmware Version < 12.0.4
   CiscoIp Phone 7841 Version-
CiscoIp Phone 7841 With Multiplatform Firmware Version12.0.4 Update-
   CiscoIp Phone 7841 Version-
CiscoIp Phone 7861 With Multiplatform Firmware Version < 12.0.4
   CiscoIp Phone 7861 Version-
CiscoIp Phone 7861 With Multiplatform Firmware Version12.0.4 Update-
   CiscoIp Phone 7861 Version-
CiscoIp Phone 8811 With Multiplatform Firmware Version < 12.0.4
   CiscoIp Phone 8811 Version-
CiscoIp Phone 8811 With Multiplatform Firmware Version12.0.4 Update-
   CiscoIp Phone 8811 Version-
CiscoIp Phone 8841 With Multiplatform Firmware Version < 12.0.4
   CiscoIp Phone 8841 Version-
CiscoIp Phone 8841 With Multiplatform Firmware Version12.0.4 Update-
   CiscoIp Phone 8841 Version-
CiscoIp Phone 8851 With Multiplatform Firmware Version < 12.0.4
   CiscoIp Phone 8851 Version-
CiscoIp Phone 8851 With Multiplatform Firmware Version12.0.4 Update-
   CiscoIp Phone 8851 Version-
CiscoIp Phone 8851nr With Multiplatform Firmware Version12.0.4 Update-
   CiscoIp Phone 8851nr Version-
CiscoIp Phone 8861 With Multiplatform Firmware Version < 12.0.4
   CiscoIp Phone 8861 Version-
CiscoIp Phone 8861 With Multiplatform Firmware Version12.0.4 Update-
   CiscoIp Phone 8861 Version-
CiscoVideo Phone 8875 With Multiplatform Firmware Version < 2.3.1.0101
   CiscoVideo Phone 8875 Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.8% 0.735
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
psirt@cisco.com 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-305 Authentication Bypass by Primary Weakness

The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.